Project Phase Planning

These questions are intended to walk an institution through the phases needed to reach NIST 800-171 compliance at the relevant level(s) of maturity. These phases may happen simultaneously or sequentially, and the duration for each activity will vary based on the institution. The size of this initiative will depend on whether your institution is securing research, financial aid data, or other controlled unclassified information. For this process to be most effective, answer these questions with all relevant stakeholders across your institution. Stakeholders could include general counsel, data governance, information technology, research, financial aid, and others. 


  • Why is this work important to your institution?

  • Who is leading this effort?

  • Who are the stakeholders?


  • What types of data need to be protected?

  • Where are the data that need to be protected?

  • Will the environment be an enclave, institution-wide, a specific system, or something else?


  • Can existing efforts be leveraged?

  • What frameworks already apply?

  • How will you document these efforts?


  • What are the roles and responsibilities for each control or control family?

  • What evidence is needed to support meeting each control?

  • What are the deliverables and timeline?


  • What processes and procedures will be used? 

  • How will you communicate with stakeholders?

  • Who is doing the work?


  • Did the deliverables meet expectations? 

  • What steps are still needed?

  • Do you need to conduct an internal audit, peer audit, or an audit by an external party?


  • Are the data still being protected?

  • Are there new data that need protecting?

  • Are there old data that need to be destroyed or archived?