Top Five Most Difficult Controls to Implement Under NIST 800-171

By Richard Brechwald • January 29, 2020

You have completed your NIST 800-171 security controls assessment to see how your company is doing in meeting the requirements of the standard. The evaluation revealed some gaps within your organization’s implementation of the solutions, tools, and processes you have launched. Unsurprisingly, these gaps typically occur in those controls most difficult to rollout. These challenges include those relating to:

Technology – Issues may include trouble identifying the right solution to address problems and the cost to acquire and implement the tools.

Process – There are often organizational matters to navigate as the company deals with changing the way it has always done things. This can extend to the need to adjust attitudes and upgrade the skillsets of members of the IT team as well as executive staff.

People – Impacting how employees perform their day-to-day work can make your whole organization run less smoothly.


Based on our work performing hundreds of assessments each year, we have identified consistent implementation gaps regarding the following controls:


5 – Training and Awareness, Control 3.2.1

  • Control requirements: This control mandates on-boarding and periodic refresher training of all users with access to sensitive information, as well as specific training for security-related roles.
  • Implementation challenges: Training and awareness impacts everyone and is one of the most effective ways to improve your security. Some employees consider it boring or not directly related or important to their work. The size of your workforce and the technical background of employees will have a direct impact on your implementation. While not the most difficult control to put into action, it can provide the most improvement to your security.
  • 51% of our assessed clients had issues with this control.


4 – FIPS-validated Cryptography, Control 3.13.11

  • Control requirements: Using FIPS-validated cryptography is compulsory to protect Controlled Unclassified Information (CUI). This includes deploying it on mobile platforms, including cell phones, tablets, and laptop drives, as well as on removable media and during transmission over unprotected communication channels.
  • Implementation challenges: This technology is complex and integrating it with the rest of your systems can be onerous. The size of your workforce and complexity of your environment also affects your implementation. Conducting the due diligence necessary to determine that all the encryption tools you employ to protect CUI can be challenging. Some of our customers understand that the encryption algorithms employed by their tools are FIPS-validated but are not aware that FIPS-validated cryptography includes other parameters, such as key generation, protection, and management.
  • 52% of our assessed clients had issues with this control.


3 – Incident Response, (Controls Class) 3.6.X

  • Control requirements: This control mandates that you establish an incident response capability that includes preparation, detection, analysis, containment, recovery, and user response, as well as the ability to track, document, and report incidents.
  • Implementation challenges: There is a tendency to be reactive rather than proactive, as often people do not like to think about things going wrong, and employees are often not eager to report to management or customers about negative events. Again, the complexity of your environment and size and training of your IT workforce impacts the implementation. Also, effective Incident Response processes go beyond IT and Security, requiring coordination with other organizations such as HR, Legal Consul, Communications, and the Executive Leadership Team.
  • 64% of our assessed clients had issues with this control.


2 – Multi-factor Authentication, Control 3.5.3

  • Control requirements: To comply, it is necessary to use multi-factor authentication (MFA) for network and remote access by all users, and in addition, privileged users require MFA for all local access. Authentication factors include “something you know”, such as a password; “something you have”, such as a token or cell phone; and “something you are”, such as a fingerprint. To meet this control, your organization must use two (or more) different factors. For example, using two passwords is not MFA. Using a password and your fingerprint is MFA.
  • Implementation challenges: This control is potentially expensive as it necessitates a new process and affects your service desk, every piece of hardware, and your people, as logging in is different. Implementation is impacted by your current systems and processes, the size of your environment, and the diversity of your platforms.
  • 73% of our assessed clients had issues with this control.


1 – Documentation for all Controls

  • Control requirements: NIST SP 800-171 r1 “expects” that nonfederal organizations will have policy, process, and plan documentation covering all the security domains as part of their comprehensive security program.
  • Implementation challenges: Most companies don’t have policy, process, or plans to measure if they are doing the right thing and doing it consistently – and this will be even more important with the introduction of Cybersecurity Maturity Model Certification (CMMC). Also, technical people typically enjoy doing technical work, such as design, implementation, and support and are not as motivated to complete the required paperwork. Implementation of a comprehensive documentation system hinges on your resources and what your company already has in place and on-file.
  • Approaching 100% of our assessed clients had issues with this control.


If you need expert help complying with these challenging requirements or any others, you can rely on CyberSheath. Contact us to see how we can help your organization move forward.  We also invite you to join Eric Noonan, CyberSheath CEO, at our upcoming webinar on February 26th, 2020 at 9:00 am (PST) | 12:00 pm (EST) to learn how these difficult NIST 800-171 controls could affect your CMMC efforts.  Register Now

In this webinar you will learn:

  • Mapping NIST 800-171 to CMMC
  • Levels 1-5: Challenges and complexities to consider at each compliance level
  • Step by step path to attaining CMMC


Webinar Leveraging NIST 800-171 to Achieve CMMC Registration Link

CyberSheath Blog

Dr. Robert Spalding to Address Nation-State Attacks at CMMC Con 2021

Since the inaugural CMMC Con, we’ve seen some of the most malicious attacks on American infrastructure ever executed. The SolarWinds attack reverberated across the entire government as agencies scrambled to discover what nation-state attackers had accessed and stolen. The Colonial Pipeline, shut down by a ransomware attack, led to fuel…

CMMC-AB vice chair Jeff Dalton to address CMMC Con 2021

The swiftness and severity of recent cyber attacks has dominated headlines and revealed that many organizations still don’t quite know what to do to protect themselves, as well as the businesses and government entities they’re connected to.   Ransomware attacks were a big point of discussion at the recent G7…

CMMC Con 2021 Opens Registration, Reveals Theme and Speakers

CMMC compliance stands in the way of revenue for every defense contractor in the supply chain. Now that CMMC is a reality for the Defense Industrial Base (DIB), learn how contractors — primes and subs, large and small, foreign-owned — are handling the standards and requirements, as well as the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft