NIST SP 800-171 (Rev. 2) - AWS Audit Manager

NIST SP 800-171 (Rev. 2)

AWS Audit Manager provides a prebuilt framework that structures and automates assessments for the NIST SP 800-171 compliance standard based on AWS best practices.


What is NIST SP 800-171?

NIST SP 800-171 focuses on protecting the confidentiality of Controlled Unclassified Information (CUI) in nonfederal systems and organizations. It recommends specific security requirements to achieve that objective. NIST 800-171 is a publication that outlines the required security standards and practices for nonfederal organizations that handle CUI on their networks. It was first published in June 2015 by the National Institute of Standards and Technology (NIST). NIST is a U.S. government agency that released several standards and publications to strengthen cybersecurity resilience in the public and private sectors. NIST 800-171 has received regular updates in line with emerging cyber threats and changing technologies. The latest version (revision 2) was released in February 2020.

The cybersecurity controls within NIST 800-171 safeguard CUI in the IT networks of government contractors and subcontractors. It defines the practices and procedures that government contractors must adhere to when their networks process or store CUI. NIST 800-171 only applies to those parts of a contractor’s network where CUI is present.

Using this framework to support your audit preparation

You can use the NIST SP 800-171 Rev. 2 framework to help you prepare for audits. This framework includes a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped into control sets according to NIST requirements. You can also customize this framework and its controls to support internal audits with specific requirements.

Using the framework as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for your audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the NIST SP 800-171 Rev. 2 framework. When it's time for an audit, you—or a delegate of your choice—can review the evidence that Audit Manager collected. Either, you can browse the evidence folders in your assessment and choose which evidence you want to include in your assessment report. Or, if you enabled evidence finder, you can search for specific evidence and export it in CSV format, or create an assessment report from your search results. Either way, you can use this assessment report to show that your controls are working as intended.

The NIST SP 800-171 Rev. 2 framework details are as follows:

Framework name in AWS Audit Manager Number of automated controls Number of manual controls Number of control sets AWS services in scope
NIST SP 800-171 Rev. 2 66 58 16
  • Amazon CloudWatch

  • Amazon Elastic Compute Cloud

  • AWS CloudTrail

  • AWS Config

  • AWS Identity and Access Management

  • AWS Security Hub


To review the AWS Config rules that are used as data source mappings in this standard framework, download the file.

The controls in this AWS Audit Manager framework aren't intended to verify if your systems are compliant with NIST 800-171. Moreover, they can't guarantee that you'll pass a NIST audit. AWS Audit Manager doesn't automatically check procedural controls that require manual evidence collection.

You can find this framework under the Standard frameworks tab of the Framework library in Audit Manager.

For information about how to create an assessment using this framework, see Creating an assessment.

When you use the Audit Manager console to create an assessment from this standard framework, the list of AWS services in scope is selected by default and can’t be edited. This is because Audit Manager automatically maps and selects the data sources and services for you. This selection is made according to the requirements of the NIST SP 800-171 Rev. 2 framework. If you need to edit the list of services in scope for this framework, you can do so by using the CreateAssessment or UpdateAssessment API operations. Alternatively, you can customize the standard framework and then create an assessment from the custom framework.

For instructions on how to customize this framework to support your specific requirements, see Customizing an existing framework and Customizing an existing control.

More NIST resources