A person hugging a computer with a flag that says Help

Top Five Most Difficult Controls to Implement Under NIST 800-171

You have completed your NIST 800-171 security controls assessment to see how your company is doing in meeting the requirements of the standard. The evaluation revealed some gaps within your organization’s implementation of the solutions, tools, and processes you have launched. Unsurprisingly, these gaps typically occur in those controls most difficult to rollout. These challenges include those relating to:

Technology – Issues may include trouble identifying the right solution to address problems and the cost to acquire and implement the tools.

Process – There are often organizational matters to navigate as the company deals with changing the way it has always done things. This can extend to the need to adjust attitudes and upgrade the skillsets of members of the IT team as well as executive staff.

People – Impacting how employees perform their day-to-day work can make your whole organization run less smoothly.


Based on our work performing hundreds of assessments each year, we have identified consistent implementation gaps regarding the following controls:


5 – Training and Awareness, Control 3.2.1

  • Control requirements: This control mandates on-boarding and periodic refresher training of all users with access to sensitive information, as well as specific training for security-related roles.
  • Implementation challenges: Training and awareness impacts everyone and is one of the most effective ways to improve your security. Some employees consider it boring or not directly related or important to their work. The size of your workforce and the technical background of employees will have a direct impact on your implementation. While not the most difficult control to put into action, it can provide the most improvement to your security.
  • 51% of our assessed clients had issues with this control.


4 – FIPS-validated Cryptography, Control 3.13.11

  • Control requirements: Using FIPS-validated cryptography is compulsory to protect Controlled Unclassified Information (CUI). This includes deploying it on mobile platforms, including cell phones, tablets, and laptop drives, as well as on removable media and during transmission over unprotected communication channels.
  • Implementation challenges: This technology is complex and integrating it with the rest of your systems can be onerous. The size of your workforce and complexity of your environment also affects your implementation. Conducting the due diligence necessary to determine that all the encryption tools you employ to protect CUI can be challenging. Some of our customers understand that the encryption algorithms employed by their tools are FIPS-validated but are not aware that FIPS-validated cryptography includes other parameters, such as key generation, protection, and management.
  • 52% of our assessed clients had issues with this control.


3 – Incident Response, (Controls Class) 3.6.X

  • Control requirements: This control mandates that you establish an incident response capability that includes preparation, detection, analysis, containment, recovery, and user response, as well as the ability to track, document, and report incidents.
  • Implementation challenges: There is a tendency to be reactive rather than proactive, as often people do not like to think about things going wrong, and employees are often not eager to report to management or customers about negative events. Again, the complexity of your environment and size and training of your IT workforce impacts the implementation. Also, effective Incident Response processes go beyond IT and Security, requiring coordination with other organizations such as HR, Legal Consul, Communications, and the Executive Leadership Team.
  • 64% of our assessed clients had issues with this control.


2 – Multi-factor Authentication, Control 3.5.3

  • Control requirements: To comply, it is necessary to use multi-factor authentication (MFA) for network and remote access by all users, and in addition, privileged users require MFA for all local access. Authentication factors include “something you know”, such as a password; “something you have”, such as a token or cell phone; and “something you are”, such as a fingerprint. To meet this control, your organization must use two (or more) different factors. For example, using two passwords is not MFA. Using a password and your fingerprint is MFA.
  • Implementation challenges: This control is potentially expensive as it necessitates a new process and affects your service desk, every piece of hardware, and your people, as logging in is different. Implementation is impacted by your current systems and processes, the size of your environment, and the diversity of your platforms.
  • 73% of our assessed clients had issues with this control.


1 – Documentation for all Controls

  • Control requirements: NIST SP 800-171 r1 “expects” that nonfederal organizations will have policy, process, and plan documentation covering all the security domains as part of their comprehensive security program.
  • Implementation challenges: Most companies don’t have policy, process, or plans to measure if they are doing the right thing and doing it consistently – and this will be even more important with the introduction of Cybersecurity Maturity Model Certification (CMMC). Also, technical people typically enjoy doing technical work, such as design, implementation, and support and are not as motivated to complete the required paperwork. Implementation of a comprehensive documentation system hinges on your resources and what your company already has in place and on-file.
  • Approaching 100% of our assessed clients had issues with this control.


If you need expert help complying with these challenging requirements or any others, you can rely on CyberSheath. Contact us to see how we can help your organization move forward.  We also invite you to join Eric Noonan, CyberSheath CEO, at our upcoming webinar on February 26th, 2020 at 9:00 am (PST) | 12:00 pm (EST) to learn how these difficult NIST 800-171 controls could affect your CMMC efforts.  Register Now

In this webinar you will learn:

  • Mapping NIST 800-171 to CMMC
  • Levels 1-5: Challenges and complexities to consider at each compliance level
  • Step by step path to attaining CMMC


Webinar Leveraging NIST 800-171 to Achieve CMMC Registration Link

Join us for CMMC CON 2024 on Sept. 25, 2024, at 9am EST for a free, virtual, one-day conference focused on safeguarding against cyber threats.
This is default text for notification bar