NIST SP 800-171* Compliance

*Note that there are various NIST SP 800 compliance standards, such as NIST 800-53 (generally used by the DOJ).  If you see other NIST references besides NIST SP 800-171 in your FOA/RFA or award/contract agreement, please reach out to the ORA as soon as possible.

One of the mechanisms to achieve research security and/or export control protections for information is through NIST SP 800-171 ("NIST 800") compliance.  NIST SP 800-171 is a set of standards cybersecurity established by the National Institute of Standards and Technology.  The standards are guidelines for Federal agencies when entering into agreements with other organizations, when sensitive (but not classified) information may be involved in the research.  Some projects require the implementation of these standards, either because of the subject matter or because the contract requires it.  You are responsible for ensuring NIST SP compliance.

What do I need to do to be NIST 800 compliant?

Before you apply for a grant or contract, determine whether research requires NIST 800 compliance.  The following situations generally require NIST 800 compliance:

  • Funding from the DOD, DOE, NASA, and occasionally NSF or NIH awards for more sensitive topics such as high encryption research or semiconductor research;
  • If it is clear in the FOA/RFA that the research restricts publication or restricts foreign nationals from working on the project;
  • If the project is Federally-funded and you will receive or generate Controlled Unclassified Information (CUI);
    • A good rule of thumb is that if you receive any items that are export controlled, or information is export controlled or subject to a Federal rule on privacy of the information (e.g. health care information, legal information, financial information, or trade secrets), chances are you are receiving or generating CUI. 
    • Refer to the University of Akron CUI webpage for more information in determining whether you are working with CUI.
  • Regardless of funding source, if the project involves ITAR items or information; or
  • If the terms of the agreement require it, even without CUI as part of the research.

If you need to be NIST 800 compliant:

  • During application: Budget for the use of the secure cyber environment for each specific project that requires it.  Sponsored programs includes this budget item in the budget template.  Costs are partly based on computing needs.  If you have questions, please reach out to the Office of Research Administration or Information Security for assistance with estimating those costs.
  • Pending award: Develop a Technology Control Plan and get training for your research team.
  • During award:
    • Ensure compliance with the NIST 800 standards, UA's System Security Plan (SSP), and your project Technology Control Plan.
    • Report any incident to the ORA and Information Security, according to the SSP and/or your TCP (whichever is sooner).
  • Post award:
    • Maintain data in the secure environment, as required; or
    • Destroy data and tangible items, as required by contract.  Note that appropriate destruction must follow NIST 800 standards.

OTHER RESOURCES

Although the latest revision of the NIST 800 is revision 3, the DOD is has released a memo regarding deviation to continue using revision 2.  For new agreements with the DOD, if you do not see a DOD deviation clause in your agreement, ask Sponsored Programs and your DOD contact to get a deviation included in the agreement.

For assistance with any of these activities, questions related to NIST 800 compliance, or questions about research security in general, reach out to ORA.

Research Compliance & Integrity Home Export Controls Home Research Security Home COI/COC Home