NIST SP 800-171

About NIST SP 800-171

The US National Institute of Standards and Technology (NIST) promotes and maintains measurement standards and guidelines to help protect the information and information systems of federal agencies. In response to Executive Order 13556 on managing controlled unclassified information (CUI), it published NIST SP 800-171, Protecting Controlled Unclassified Information In Nonfederal Information Systems and Organizations. CUI is defined as information, both digital and physical, created by a government (or an entity on its behalf) that, while not classified, is still sensitive and requires protection.

NIST SP 800-171 was originally published in June 2015 and has been updated several times since then in response to evolving cyberthreats. It provides guidelines on how CUI should be securely accessed, transmitted, and stored in nonfederal information systems and organizations; its requirements fall into four main categories:

  • Controls and processes for managing and protecting
  • Monitoring and management of IT systems
  • Clear practices and procedures for end users
  • Implementation of technological and physical security measures

Microsoft and NIST SP 800-171

Accredited third-party assessment organizations, Kratos Secureinfo and Coalfire, partnered with Microsoft to attest that its in-scope cloud services meet the criteria in NIST SP 800-171, Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations, when they process CUI. The Microsoft implementation of FedRAMP requirements help ensure Microsoft in-scope cloud services meet or exceed the requirements of NIST SP 800-171 using the systems and practices already in place.

NIST SP 800-171 requirements are a subset of NIST SP 800-53, the standard that FedRAMP uses. Appendix D of NIST SP 800-171 provides a direct mapping of its CUI security requirements to the relevant security controls in NIST SP 800-53, for which the in-scope cloud services have already been assessed and authorized under the FedRAMP program.

Any entity that processes or stores US government CUI — research institutions, consulting companies, manufacturing contractors, must comply with the stringent requirements of NIST SP 800-171. This attestation means Microsoft in-scope cloud services can accommodate customers looking to deploy CUI workloads with the assurance that Microsoft is in full compliance. For example, all DoD contractors who process, store, or transmit 'covered defense information' using in-scope Microsoft cloud services in their information systems meet the US Department of Defense DFARS clauses that require compliance with the security requirements of NIST SP 800-171.

Microsoft in-scope cloud platforms & services

  • Azure Commercial, Azure Government
  • Dynamics 365 U.S. Government
  • Intune
  • Office 365 U.S. Government Community Cloud (GCC), Office 365 GCC High, and DoD
    • Note that Office 365 Commercial is not included in the third-party audit conducted for NIST 800-171 and is not in scope.

Azure, Dynamics 365, and NIST SP 800-171

For more information about Azure, Dynamics 365, and other online services compliance, see the Azure NIST SP 800-171 offering.

Office 365 and NIST SP 800-171

Office 365 environments

Microsoft Office 365 is a multi-tenant hyperscale cloud platform and an integrated experience of apps and services available to customers in several regions worldwide. Most Office 365 services enable customers to specify the region where their customer data is located. Microsoft may replicate customer data to other regions within the same geographic area (for example, the United States) for data resiliency, but Microsoft will not replicate customer data outside the chosen geographic area.

This section covers the following Office 365 environments:

  • Client software (Client): commercial client software running on customer devices.
  • Office 365 (Commercial): the commercial public Office 365 cloud service available globally.
  • Office 365 Government Community Cloud (GCC): the Office 365 GCC cloud service is available for United States Federal, State, Local, and Tribal governments, and contractors holding or processing data on behalf of the US Government.
  • Office 365 Government Community Cloud - High (GCC High): the Office 365 GCC High cloud service is designed according to Department of Defense (DoD) Security Requirements Guidelines Level 4 controls and supports strictly regulated federal and defense information. This environment is used by federal agencies, the Defense Industrial Base (DIBs), and government contractors.
  • Office 365 DoD (DoD): the Office 365 DoD cloud service is designed according to DoD Security Requirements Guidelines Level 5 controls and supports strict federal and defense regulations. This environment is for the exclusive use by the US Department of Defense.

Use this section to help meet your compliance obligations across regulated industries and global markets. To find out which services are available in which regions, see the International availability information and the Where your Microsoft 365 customer data is stored article. For more information about Office 365 Government cloud environment, see the Office 365 Government Cloud article.

Your organization is wholly responsible for ensuring compliance with all applicable laws and regulations. Information provided in this section does not constitute legal advice and you should consult legal advisors for any questions regarding regulatory compliance for your organization.

Office 365 applicability and in-scope services

Use the following table to determine applicability for your Office 365 services and subscription:

Applicability In-scope services
GCC Activity Feed Service, Bing Services, Delve, Exchange Online, Intelligent Services, Microsoft Teams, Office 365 Customer Portal, Office Online, Office Service Infrastructure, Office Usage Reports, OneDrive for Business, People Card, SharePoint Online, Skype for Business, Windows Ink
GCC High Activity Feed Service, Bing Services, Exchange Online, Intelligent Services, Microsoft Teams, Office 365 Customer Portal, Office Online, Office Service Infrastructure, Office Usage Reports, OneDrive for Business, People Card, SharePoint Online, Skype for Business, Windows Ink
DoD Activity Feed Service, Bing Services, Exchange Online, Intelligent Services, Office 365 Customer Portal, Office Online, Office Service Infrastructure, Office Usage Reports, OneDrive for Business, People Card, Microsoft Teams, SharePoint Online, Skype for Business, Windows Ink

Frequently asked questions

Can I use Microsoft compliance with NIST SP 800-171 for my organization?

Yes. Microsoft customers may use the audited controls described in the reports from independent third-party assessment organizations (3PAO) on FedRAMP standards as part of their own FedRAMP and NIST risk analysis and qualification efforts. These reports attest to the effectiveness of the controls Microsoft has implemented in its in-scope cloud services. Customers are responsible for ensuring that their CUI workloads comply with NIST SP 800-171 guidelines.

Use Microsoft Purview Compliance Manager to assess your risk

Microsoft Purview Compliance Manager is a feature in the Microsoft Purview compliance portal to help you understand your organization's compliance posture and take actions to help reduce risks. Compliance Manager offers a premium template for building an assessment for this regulation. Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.

Resources