Last revised: January 2026

NIST SP 800-171 Alignment Statement

FactR Limited (“FactR”, “we”, “us”, “our”) aligns its security controls, SaaS architecture, and operational practices with the requirements of NIST Special Publication 800-171 Revision 3.

NIST SP 800-171 defines requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. While NIST does not provide vendor certifications for SP 800-171, this page describes how FactR’s platform and security program support customer compliance obligations.

1. Scope & Applicability

FactR provides a secure, multi-tenant SaaS platform for workflow automation, agentic AI, and enterprise data processing.

This alignment applies to:

  • FactR systems that process, store, or transmit customer data, including CUI

  • Infrastructure and cloud services supporting those systems

  • Operational, administrative, and governance processes supporting confidentiality, integrity, and availability

Customers remain responsible for configuring their own environments, identity providers, data classification policies, and usage of the platform in accordance with their compliance requirements.

2. Alignment Summary Across NIST SP 800-171 Control Families

The table below summarizes how FactR aligns with the 17 control families defined in NIST SP 800-171 Rev. 3.

NIST SP 800-171 Control Family

Access Control (AC)

Awareness & Training (AT)

Audit & Accountability (AU)

Assessment, Authorization & Monitoring (CA)

Configuration Management (CM)

Identification & Authentication (IA)

Incident Response (IR)

Maintenance (MA)

Media Protection (MP)

Physical & Environmental Protection (PE)

Planning (PL)

Personnel Security (PS)

Risk Assessment (RA)

System & Services Acquisition (SA)

System & Communications Protection (SC)

System & Information Integrity (SI)

Supply Chain Risk Management (SR)

Area

Platform security

Infrastructure security

Identity provider configuration

Data classification & labeling

Access policies

Logging & monitoring

Incident response

FactR Alignment Summary

SSO (SAML/OIDC), RBAC, MFA enforcement, least-privilege defaults, session controls

Mandatory security training, annual refreshers, secure role-based development training

Centralized audit logging, immutable logs, SIEM integration, anomaly detection

Continuous monitoring, penetration testing, third-party assessments

Infrastructure-as-Code, hardened baselines, drift detection

MFA, passwordless options, OAuth2, API key rotation

24/7 incident response, runbooks, tabletop exercises, notification SLAs

Controlled maintenance windows, logged and approved access

No removable media, encrypted storage, controlled exports

Cloud provider FedRAMP-aligned facilities

Documented SSPs, architecture diagrams, data flow maps

Background checks, role-based access, automated offboarding

Annual risk assessments, threat modeling, vulnerability scanning

Secure SDLC, SBOMs, supplier security reviews

TLS 1.2+/1.3, encryption at rest, network segmentation

Malware scanning, patching SLAs, runtime monitoring

Vendor due diligence, contractual security controls

3. Detailed Alignment by Control Family

3.1 Access Control (AC)

FactR enforces strict access controls to ensure only authorized users can access customer data, including CUI.

  • SSO via SAML and OIDC (Azure AD, Okta, Google Workspace)

  • Mandatory MFA for privileged and administrative roles

  • Role-based access control (RBAC) with least-privilege defaults

  • IP allow-listing for administrative interfaces

  • Automatic session expiration and token lifetimes

  • Fine-grained API permissions

  • Customer-controlled access policies for workflows and agents

Outcome: Unauthorized access is prevented through layered identity and access controls.

3.2 Awareness & Training (AT)

All FactR personnel receive:

  • Annual security awareness training

  • Secure development lifecycle (SDLC) training for engineers

  • Phishing awareness and simulation exercises

  • Role-specific training for operations and support teams

Outcome: Personnel understand their responsibilities for protecting sensitive data.

3.3 Audit & Accountability (AU)

FactR maintains comprehensive audit logging, including:

  • Authentication and authorization events

  • Administrative and configuration changes

  • Data access and workflow execution events

  • Immutable log storage with defined retention periods

  • SIEM integration for alerting and correlation

  • Log integrity protections

Outcome: Customer activity can be traced and anomalous behavior detected.

3.4 Assessment, Authorization & Monitoring (CA)

FactR conducts:

  • Annual third-party penetration testing

  • Continuous vulnerability scanning

  • Automated configuration and control monitoring

  • Periodic risk assessments

  • Inheritance of cloud provider FedRAMP Moderate/High controls

Outcome: Security posture is continuously evaluated and improved.

3.5 Configuration Management (CM)

Controls include:

  • Infrastructure-as-Code (IaC) for all production systems

  • Hardened OS, container, and service baselines

  • Version-controlled configuration repositories

  • Change management and approval workflows

  • Automated drift detection

Outcome: Systems remain secure, consistent, and auditable.

3.6 Identification & Authentication (IA)

FactR enforces strong identity controls through:

  • MFA enforcement

  • Passwordless authentication options

  • OAuth2-based API access

  • Automatic credential and key rotation

  • Strong password policies when passwords are used

Outcome: Only authenticated users and systems gain access.

3.7 Incident Response (IR)

FactR maintains a formal incident response program:

  • 24/7 on-call security team

  • Documented incident response plan and runbooks

  • Biannual tabletop exercises

  • Customer notification SLAs

  • Forensic evidence preservation

Outcome: Incidents are detected, contained, and communicated promptly.

3.8 Maintenance (MA)

Maintenance activities follow strict controls:

  • Secure, logged remote access

  • Pre-approved maintenance windows

  • Monitoring of maintenance sessions

  • No customer data stored on employee devices

Outcome: Maintenance does not compromise data confidentiality.

3.9 Media Protection (MP)

  • No removable or physical media used for customer data

  • Encrypted storage by default

  • Customer-initiated export controls

  • Secure deletion and sanitization processes

Outcome: Data is protected from unauthorized disclosure via media.

3.10 Physical & Environmental Protection (PE)

FactR leverages cloud providers with:

  • FedRAMP Moderate or High data centers

  • 24/7 physical security and monitoring

  • Redundant power, cooling, and fire suppression

Outcome: Physical protections are inherited from hyperscale providers.

3.11 Planning (PL)

FactR maintains:

  • System Security Plans (SSPs)

  • Architecture and data flow documentation

  • Risk registers

  • Business continuity and disaster recovery plans

Outcome: Security planning is documented and maintained.

3.12 Personnel Security (PS)

Controls include:

  • Background checks for employees

  • Role-based access provisioning

  • Automated offboarding workflows

  • Periodic access reviews

Outcome: Only trusted personnel access sensitive systems.

3.13 Risk Assessment (RA)

FactR performs:

  • Annual formal risk assessments

  • Threat modeling for new features

  • Continuous vulnerability scanning

  • Prioritized remediation processes

Outcome: Risks are identified and mitigated.

3.14 System & Services Acquisition (SA)

FactR follows a secure SDLC:

  • Code reviews and change approvals

  • Dependency and software composition analysis (SCA)

  • SBOM generation

  • Secure architecture reviews

  • Vendor and supplier security assessments

Outcome: Systems are securely designed, built, and acquired.

3.15 System & Communications Protection (SC)

Protections include:

  • TLS 1.2+/1.3 encryption for data in transit

  • AES-256 encryption at rest

  • Network segmentation and isolation

  • API rate limiting and web application firewalls (WAF)

  • Secrets management using industry-standard tools

Outcome: Data remains confidential in transit and at rest.

3.16 System & Information Integrity (SI)

FactR ensures integrity through:

  • Malware detection and scanning

  • Runtime security monitoring

  • Automated patching and vulnerability remediation

  • Alerting on anomalous behavior

Outcome: Threats are detected and remediated quickly.

3.17 Supply Chain Risk Management (SR)

Supply chain controls include:

  • Vendor due diligence and security reviews

  • Contractual security requirements

  • Continuous monitoring of critical suppliers

  • SBOM transparency

  • Cloud provider control inheritance

Outcome: Third-party risks are controlled and monitored.

4. Shared Responsibility Model

NIST SP 800-171 alignment follows a shared responsibility model.

FactR Responsibility

Shared

Shared

Shared

Customer Responsibility

Shared

Shared

Shared

5. Continuous Improvement

FactR continuously enhances its security posture through:

  • Regular control reviews

  • Threat intelligence integration

  • Customer feedback and audits

  • Alignment with NIST SP 800-53, NIST CSF, and FedRAMP baselines

6. Documentation & Contact

Customers may request additional documentation, including System Security Plans (SSPs), penetration test summaries, and architecture diagrams, through their account representative.

For questions regarding this alignment statement, contact info@factr.me.

You may also view FactR Limited’s Privacy Policy and Terms & Conditions

Official Standard Reference:
NIST Special Publication 800-171 Revision 3
https://csrc.nist.gov/pubs/sp/800/171/r3/final