Glossary
NIST 800-171 compliance refers to conformance with the NIST Special Publication 800-171, titled Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Developed by the National Institute of Standards and Technology (NIST), this framework defines the security requirements for safeguarding Controlled Unclassified Information (CUI) when handled by contractors and partners of U.S. federal agencies.
NIST 800-171 is a mandatory requirement for organizations in the Department of Defense (DoD) supply chain, as well as those working with NASA, GSA, and other civilian agencies. It applies to any contractor or subcontractor that processes, stores, or transmits CUI, data that, while not classified, is sensitive and protected by federal regulations.
The framework outlines 110 security requirements across 14 families, including:
NIST 800-171 is also the foundation for the Cybersecurity Maturity Model Certification (CMMC) program, which requires formal assessment and certification of compliance.
Failure to comply with NIST 800-171 can result in contract loss, legal exposure, or disqualification from future federal opportunities.
Xona enables compliance with key access-related requirements of NIST 800-171 by enforcing secure, policy-based remote access to critical systems without exposing credentials or expanding the attack surface. Aligned with families like Access Control, Audit and Accountability, and Identification and Authentication, Xona supports:
Xona also helps contractors maintain secure access to systems containing CUI during diagnostics, support, or maintenance operations, whether performed by internal staff or third-party vendors, while preserving traceability and data integrity.
Any nonfederal organization that processes, stores, or transmits Controlled Unclassified Information (CUI) on behalf of a U.S. federal agency must comply with NIST 800-171. This includes contractors and subcontractors working with the Department of Defense (DoD), NASA, GSA, and other civilian agencies.
The Access Control (AC) family within NIST 800-171 requires organizations to enforce least privilege, role-based access, session restrictions, and control of remote access. It mandates that only authorized individuals may access CUI, and that access must be restricted based on job responsibilities and time-bound authorization.
MFA is required under the Identification and Authentication (IA) control family to ensure that only verified users can access systems handling CUI. It significantly reduces the risk of credential compromise, which is one of the most common vectors in cyberattacks targeting federal contractors.
Xona enforces multi-factor authentication, role- and time-based access control, and credential injection, which removes the need for users to handle sensitive passwords. All access is identity-based and session activity is fully logged and recorded, ensuring that access to CUI is both secured and attributable which aligns directly with controls in the AC, IA, and AU families.
Xona captures comprehensive session metadata, including user identity, access time, system accessed, and protocol used, along with optional full session video recordings. Logs are stored immutably and can be integrated with SIEM platforms, meeting NIST 800-171 requirements for audit generation, review, and retention.
Xona enables secure, browser-based access to systems containing CUI without requiring direct network connections or exposing credentials which is ideal for supporting internal staff and approved vendors. This allows organizations to maintain control, visibility, and integrity over remote sessions while complying with NIST 800-171 controls for secure communication, configuration management, and access oversight.
Originally published December 04, 2025
