NIST 800-171 Learning Path

Learn about CUI and how to identify/protect it under the NIST 800-171 requirements.

5 hours, 5 minutes

Quick facts

About this learning path

  • courses

    100% online

  • Duration

    5 hours, 5 minutes

  • Assessment


About NIST 800-171

NIST SP 800-171 is a cybersecurity framework of 110 controls in 14 families published by the National Institute of Standards and Technology (NIST). This learning path will teach you how to comply with the requirements of NIST 800-171. You will understand what CUI is and how to identify it; what a nonfederal information systems is; how to understand each of the 110 requirements in the framework and satisfy each of them if necessary; how to create a Body of Evidence (BOE) including Organizational Policy or Procedures; a System Security Plan (SSP) and Plans of Action and Milestones (POAM). Upon completion of this course, you will have the knowledge and skills to implement the controls required by the NIST 800-171 framework and build your BOE.



NIST 800-171 Skill Assessment

Assessment - 50 questions

Review the the DFARS requirement that led to NIST 800-171

Course - 00:31:00

DFARS clause 252.204-7012 calls for the protection of Controlled Unclassified Information (CUI). In this first course, we will review the history that led to the implementation of NIST SP 800-171, including key terms, applicability of the requirements and a high-level overview of the Body of Evidence (BOE) that documents implementation of controls that satisfy the 110 requirements including Policies, a System Security Plan (SSP) and Plans of Action and Milestones (POAM).
Understanding the NIST 800-171 controls

Course - 01:26:00

NIST SP 800-171 R2 defines 110 security requirements need to help ensure the confidentiality, integrity and available of CUI which are divided into 14 requirements families. In this course, we will explore each of the 14 requirements families and dive into each of the 110 individual requirements.
Understand and create policies and plans

Course - 00:16:00

Policies are mandatory requirements, established by senior management, that provide strategy and direction. While many of the requirements of NIST SP 800-171 are technical in nature, some are administrative and both may require policies to fully satisfy a requirement. In this course, we will look at some of the common policies that may be needed to satisfy requirements, as well as where you can find policy templates to help you get started.
Create a System Security Plan (SSP) for implemented controls

Course - 00:46:00

A System Security Plan (SSP) is a blueprint of your cybersecurity program. It documents your implementation of controls that satisfy the 110 requirements of NIST 800-171. A SSP is part of the Body of Evidence and is one of the specific requirements (3.12.4) defined in NIST SP 800-171. In this course, we will use the NIST SSP template to learn how to create a SSP.
Create a Plan of Action and Milestones for unimplemented controls

Course - 00:12:00

A Plan of Action and Milestones (POAM) is a document that demonstrates your commitment to and plan for implementing controls that satisfy any unsatisfied requirements of NIST 800-171. A POAM is part of the Body of Evidence and is defined as one of the specific requirements (3.12.2) of NIST SP 800-171. In this course, we will use a spreadsheet based on the NIST POAM template to learn how to create a POAM.
NIST 800-171 and CMMC

Course - 00:30:00

NIST SP 800-171 is a self-attestation standard with little to no audit risk created. This resulted in perpetual POAMS and little incentive for NFOs to fully implement all 110 requirements of NIST SP 800-171. To prevent the exfiltration of CUI from the Defense Industrial Base (DIB), the Cybersecurity Maturity Model Certification (CMMC) was created. It establishes compliance as a condition of doing business with DoD. Explore the benefits of NIST SP 800-171 and CMMC.
Putting it all together

Course - 01:16:00

We review all of the material covered in this class and do a project to create the Body of Evidence for all of the requirements of family 3.13; System and Communications Protection, including a sample policy; a System Security Plan (SSP); and a Plan of Action an Milestones (POAM). We also score these requirements for 3.13 for a sample Basic Assessment and look at how to submit a Basic Assessment to SPRS.

Meet the author

Dave Hatter

Dave Hatter is an accomplished, enthusiastic, award-winning technology professional and servant leader with more than 30 years of software development, cybersecurity, and project management experience. He has earned numerous industry certifications including CISSP, CISA, CISM, CCSP, CSSLP, Security+, Network+, MS Azure Fundamentals, PMP, PMI-ACP, PMI-PBA, PSM 1, PSD 1, and ITIL Foundation V3 and holds a BS in Information Systems from NKU. He has written or contributed to 12 technology books, written more than 100 technology related articles and has been quoted in publications including The Wall Street Journal, Money, MSNBC, Salon, Reader’s Digest, MSN, Business Insider, The Street, Yahoo!Money, The Ladders,, InfoWorld, ComputerWorld, CIO, CSO, CIO Update, Search CIO, Digital Trends, Tech Beacon, CyberNews, Lifewire and GearBrain.

The details

Learning path insights

How to claim CPEs

Should you complete this learning path, you’ll be able to download a certificate of completion. Use this to claim your CPEs or CPUs.

No software. No set up. Unlimited access.

Skip the server racks and spin up a realistic environment with one click. Infosec Skills cyber ranges require no additional software, hardware or server space so your team can spend less time configuring environments and more time learning. Unlimited cyber range access is included in every Infosec Skills subscription so your team can skill up however they learn best.

Unlock 7 days of free training

  • 1,400+ hands-on courses and labs
  • Certification practice exams
  • Skill assessments

Plans & pricing

Infosec Skills Personal

$299 / year

  • 190+ role-guided learning paths (e.g., Ethical Hacking, Threat Hunting)
  • 100s of hands-on labs in cloud-hosted cyber ranges
  • Custom certification practice exams (e.g., CISSP, Security+)
  • Skill assessments
  • Infosec peer community support

Infosec Skills Teams

$799 per license / year

  • Team administration and reporting
  • Dedicated client success manager
  • Single sign-on (SSO)
    Easily authenticate and manage your learners by connecting to any identity provider that supports the SAML 2.0 standard.
  • Integrations via API
    Retrieve training performance and engagement metrics and integrate learner data into your existing LMS or HRS.
  • 190+ role-guided learning paths and assessments (e.g., Incident Response)
  • 100s of hands-on labs in cloud-hosted cyber ranges
  • Create and assign custom learning paths
  • Custom certification practice exams (e.g., CISSP, CISA)
  • Optional upgrade: Guarantee team certification with live boot camps

Learn about scholarships and financing with

Affirm logo