NIST SP 800-171
NIST SP 800-171 overview
The National Institute of Standards and Technology (NIST) SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations provides guidelines for the protection of controlled unclassified information (CUI) in nonfederal information systems and organizations. It is tailored to nonfederal systems, allowing nonfederal organizations to be in compliance with statutory and regulatory requirements, and to consistently implement safeguards for the protection of CUI. NIST SP 800-171 is intended to be used by federal agencies in contracts or other agreements established with nonfederal organizations.
The CUI requirements within NIST SP 800-171 are derived from:
- NIST FIPS 200 Minimum Security Requirements for Federal Information and Information Systems
- NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations
- 32 CFR Part 2002 Controlled Unclassified Information (CUI)
The CUI Registry provides specific categories of information that is under protection by the Executive branch, for example, more than 20 category groupings are included in the CUI category list, such as:
- Critical infrastructure (for example, Critical Energy Infrastructure Information)
- Defense (for example, Naval Nuclear Propulsion Information, Unclassified Controlled Nuclear Information – Defense)
- Export Control (for example, Export Administration Regulations (EAR) restrictions for items on the Commerce Control List, or International Traffic in Arms Regulations (ITAR) restrictions for items on the US Munitions List)
- Financial (for example, bank secrecy, budget, and so on)
- Intelligence (for example, Foreign Intelligence Surveillance Act)
- Law enforcement (for example, criminal history records, accident investigations, and so on)
- Nuclear (for example, Unclassified Controlled Nuclear Information – Energy)
- Privacy (for example, military personnel records, health information, and so on)
- And more
Azure and NIST SP 800-171
The US Federal Risk and Authorization Management Program (FedRAMP) was established to provide a standardized approach for assessing, monitoring, and authorizing cloud computing products and services. FedRAMP is based on the National Institute of Standards and Technology (NIST) SP 800-53 standard, augmented by FedRAMP controls and control enhancements. Both Azure and Azure Government maintain a FedRAMP High Provisional Authorization to Operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB).
Mapping tables in the NIST SP 800-171 Appendix D (D1 through D14) provide control mapping between CUI security requirements and relevant security controls in NIST SP 800-53, indicating that NIST SP 800-171 represents a subset of the NIST SP 800-53 controls for which Azure has already been assessed and authorized under FedRAMP. Therefore, you can be assured that FedRAMP High baseline addresses fully and exceeds the requirements of NIST SP 800-171. All Azure and Azure Government services that have received FedRAMP High P-ATO conform to the NIST SP 800-171 requirements and can help you safeguard your CUI workloads.
Moreover, an accredited third-party assessment organization (3PAO) has attested that Azure (also known as Azure Commercial) and Azure Government cloud service offerings meet the NIST SP 800-171 criteria if the system processes CUI. Implementation of the FedRAMP High baseline and FIPS 200 ensures that Azure and Azure Government meet the criteria in NIST SP 800-171, using the systems and practices that are already in place. It also ensures that on federal systems, these cloud environments are using a standardized and uniform set of requirements for all CUI security needs, if such systems store CUI. For more information, see Attestation documents.
For extra customer assistance, Microsoft provides the Azure Policy regulatory compliance built-in initiatives for Azure and Azure Government, which map to NIST SP 800-171 compliance domains and controls:
- Azure
- Azure Government
Regulatory compliance in Azure Policy provides built-in initiative definitions to view a list of controls and compliance domains based on responsibility – customer, Microsoft, or shared. For Microsoft-responsible controls, we provide extra audit result details based on third-party attestations and our control implementation details to achieve that compliance. Each NIST SP 800-171 control is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, compliance in Azure Policy is only a partial view of your overall compliance status. Azure Policy helps to enforce organizational standards and assess compliance at scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to more granular status.
Azure and U-NNPI
The Naval Nuclear Propulsion Program was created under Executive Order 12344 (see also 50 USC 2511). It comprises the military and civilian personnel who design, build, operate, maintain, and manage the nuclear-powered ships and the many facilities that support the US nuclear-powered naval fleet. The program provides the design, development, and operational support required to enable militarily effective nuclear propulsion plants and ensure their safe, reliable and long-lived operation.
Naval Nuclear Propulsion Information (NNPI) that is designated as CUI is listed in the CUI category list. Unclassified NNPI (U-NNPI) is marked Not Releasable to Foreign Nationals (NOFORN), and it may not be released publicly or disclosed to foreign nationals. Table 1 and Exhibit 1 in OPNAVINST N9210.3 Safeguarding of Naval Nuclear Propulsion Information (NNPI) discuss the different classification levels/handling controls for NNPI, including access requirements for U-NNPI. Azure Government can accommodate U-NNPI workloads because it is designed to meet specific controls that restrict access to information and systems to US persons among Azure operations personnel. Azure Government also imposes background screening requirements mandated by US Government on operations personnel with access to production systems. For more information, see Screening and Azure support for export controls. Moreover, an accredited third-party assessment organization (3PAO) has attested that Azure Government has implemented the security controls that are part of the Navy's security overlay.
Note
You must contact Naval Reactors (Naval Nuclear Propulsion Program) to obtain authorization prior to hosting unclassified NNPI (U-NNPI) on Azure Government.
Applicability
- Azure
- Azure Government
Services in scope
- Azure services in scope for NIST SP 800-171 reflect the Azure FedRAMP High P-ATO scope.
- Azure Government services in scope for NIST SP 800-171 reflect the Azure Government FedRAMP High P-ATO scope.
For more information, see Cloud services in audit scope.
Office 365 and NIST SP 800-171
For more information about Office 365 compliance, see Office 365 NIST SP 800-171 documentation.
Attestation documents
For instructions on how to access attestation documents, see Audit documentation. The following attestation letters are available from the Service Trust Portal (STP) United States Government section:
- Azure Commercial – Attestation of Compliance with NIST SP 800-171
- Azure Government – Attestation of Compliance with NIST SP 800-171
- Azure Government – Attestation of Compliance with NNPI
An accredited third-party assessment organization (3PAO) has attested that Azure (also known as Azure Commercial) and Azure Government meet the criteria in the NIST SP 800-171 if the system processes CUI. Moreover, a separate attestation of compliance regarding the Naval Nuclear Propulsion Information (NNPI) is provided to show that Azure Government has implemented the security controls that are part of the Navy's security overlay. You must contact Naval Reactors (Naval Nuclear Propulsion Program) to obtain authorization prior to hosting U-NNPI in Azure Government.
For access to Azure and Azure Government FedRAMP documentation, see FedRAMP attestation documents.
Frequently asked questions
Can I use Azure NIST SP 800-171 compliance offering for my organization?
Yes. You may use Azure or Azure Government FedRAMP High P-ATO as the foundation for any compliance program that relies on NIST SP 800-53 control requirements, including NIST SP 800-171. Control implementation details are documented in the FedRAMP System Security Plan (SSP). Moreover, you may also benefit from attestations produced by a 3PAO that Azure and Azure Government meet the criteria in the NIST SP 800-171 if the system processes CUI. These reports attest to the effectiveness of the controls Microsoft has implemented for in-scope cloud services. Microsoft doesn't inspect, approve, or monitor your Azure applications. You're responsible for ensuring that your CUI workloads comply with NIST SP 800-171 guidelines.
How can I get the Azure NIST SP 800-171 attestation documents?
For links to audit documentation, see Attestation documents.
Should I use Azure or Azure Government for workloads that are subject to NIST SP 800-171?
You're wholly responsible for ensuring your own compliance with all applicable laws and regulations, and should consult your legal advisor for questions regarding regulatory compliance. Azure and Azure Government have the same security controls in place, including the same provisions for the safeguarding of customer data. For example, both cloud environments provide the same controls for data encryption, including support for customer-managed encryption keys stored in FIPS 140 validated hardware security modules (HSMs) managed by Azure Key Vault.
Both Azure and Azure Government maintain a FedRAMP High Provisional Authorization to Operate (P-ATO) issued by the FedRAMP Joint Authorization Board (JAB). An accredited third-party assessment organization (3PAO) has attested that both Azure and Azure Government meet the criteria in the NIST SP 800-171 if the system processes CUI.
The Azure Policy regulatory compliance built-in initiatives, which map to NIST SP 800-171 compliance domains and controls, are available in both Azure and Azure Government. Azure Policy helps to enforce organizational standards and assess compliance at scale. The cloud environment decision will rest with you based on your business requirements. Most US government agencies and their partners are best aligned with Azure Government, which provides an extra layer of protection to customers through contractual commitments regarding storage of customer data in the United States and limiting potential access to systems processing customer data to screened US persons.
Can Azure Government accommodate U-NNPI?
Yes; however, you must contact Naval Reactors (Naval Nuclear Propulsion Program) to obtain authorization prior to hosting U-NNPI in Azure Government. Naval Nuclear Propulsion Information (NNPI) that is designated as CUI is listed in the CUI category list. Unclassified NNPI (U-NNPI) is marked Not Releasable to Foreign Nationals (NOFORN), and it not be released publicly or disclosed to foreign nationals. Azure Government can accommodate U-NNPI workloads because it is designed to meet specific controls that restrict access to information and systems to US persons among Azure operations personnel. Azure Government also imposes background screening requirements mandated by US Government on operations personnel with access to production systems. For more information, see Screening and Azure support for export controls. Moreover, an accredited third-party assessment organization (3PAO) has attested that Azure Government has implemented the security controls that are part of the Navy's security overlay.
Resources
- Azure compliance documentation
- Azure enables a world of compliance
- Microsoft 365 compliance offerings
- Compliance on the Microsoft Trust Center
- What is Azure Government?
- Explore Azure Government
- Microsoft government solutions
- CUI Registry and CUI Category List
- NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations
- NIST FIPS 200 Minimum Security Requirements for Federal Information and Information Systems
- 32 CFR Part 2002 Controlled Unclassified Information (CUI)