NIST 800-171 Compliance

NIST 800-171 Compliance: What does this mean for Federal Contractors?

Contractors that work with the DoD and have access to and will handle controlled unclassified information on their information systems are required to become NIST 800-171 compliant. Although NIST 800-171 compliance was required as of December 31, 2017, many contractors may not be fully compliant or are now understanding the depth of the requirements.

The government requires NIST 800-171 compliance to protect Federal information not maintained on a government information system. Federal information systems follow NIST 800-53 Revision 4 Recommended Security Controls for Federal Information Systems and Organizations, that provides the security controls and associated assessment procedures. Prior to NIST 800-171, there was limited guidance on how non-Federal information systems should be controlled to handle information that was not classified but should be protected.

NIST 800-171 DFARS

The Defense Federal Acquisition Regulations Supplement (DFARS) are the Department of Defense’s (DoD) supplemental regulations of the Federal Acquisition Regulations (FAR). The NIST 800-171 DFARS primarily focus on DoD-wide policy, laws, deviations from FAR requirements, and DoD specific delegations of FAR requirements. Overseen by the Defense Acquisition Regulations System (DARS) Office, the primary mission is to develop and manage the guidelines and rules for acquisition in regard to services for the DoD.

NIST 800-171 Compliance Requirements

The mandate for the NIST Special Publication 800-171 requirement is in DFARS 252.204-7012, which specifically addresses “safeguarding covered defense information and cyber incident reporting.” The scope of this mandate addresses the NIST Requirement for Government contractors and subcontractors to establish and maintain safeguards (network security) that provide security in information that resides or is transmitted through contractor systems.

NIST 800-171 CUI

Driven by Executive Order 13556 (November 4, 2010), which established a Controlled Unclassified Information (CUI) Program, the NIST Special Publication 800-171 (Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations) provides principal guidelines to a government-wide requirement for CUI. Any contractor doing business with the Federal government which handles this type of information, is required to demonstrate the security controls and be compliant with NIST 800-171 compliance requirements of this publication. A complete list of CUI categories can be found at the National Archives website.

NIST 800-171 Compliance Checklist

If your organization hasn’t reached NIST 800-171 compliance or there are concerns about potential gaps, how do you start? Understanding what is required to meet DFARS 252.204-7012 or NIST 800-171 compliance can be a challenging. Our team has developed a checklist towards NIST 800-171 compliance:

1. Check NIST 800-171 and DoD Contracts

Review any DoD contracts signed after December 31, 2017, to determine if DFARS 252.204-7012 was a requirement.

2. Access to Controlled Unclassified Information (CUI)

Identify if you have or will have access to controlled unclassified information (CUI). CUI is defined as is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified.

Categories of CUI are defined by National Archives and Records Administration. However, the categories are broad and the span of what could be considered CUI is unclear, meaning that there is a significant amount of information that may be defined as CUI. More information on CUI can be found at National Archives CUI Details.

3. Review the Requirements of NIST 800-171 Controls

Review the requirements of NIST 800-171. The publication provides key requirement guidelines to 14 key information security areas. The security requirements in NIST 800-171 consists of

  • a basic security requirements section and
  • a derived security requirements section.

NIST 800-171 basic security requirements are obtained from FIPS Publication 200. The derived security requirements, which supplement the basic security requirements, are from the security controls in NIST 800-53. The combination of these controls and the mappings in NIST 800-171 are provided to show what is required for nonfederal systems to better manage the security of CUI while not providing overly rigorous requirements that are required for federal systems. Ultimately, the intent of the control families in NIST 800-171 is to provide the level of security needed to control information for nonfederal systems while removing controls that are necessary for Federal systems but not needed outside of the government. The security families in the NIST 800-171:

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Configuration Management
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Risk Assessment
  • Security Assessment
  • System and Communications Protection
  • System and Information Integrity

More information on NIST 800-171 can be found in
NIST Special Publication

4. Evaluate your IT systems

Evaluate your IT systems, network, and applications as you assess how you would receive the information, how the information would be processed, how it would be managed, and stored, and how it would be transferred. This will help define the boundaries of what systems would be in scope.

5. Perform a NIST 800-171 Gap Analysis

Perform an assessment to evaluate existing NIST 800-171 compliance. An assessment (NIST 800-171 Gap Analysis) can be done internally or by using an external provider. The assessment should include a review of existing policies and business processes, a technical evaluation of systems, applications, and networks to understand vulnerabilities and security controls, and a review of data and assets.

The assessment should look at both risks as well as gaps in compliance. Why is it important to identify risks? Performing an assessment from a risk-based perspective will help you understand how you will manage security controls regardless of system changes to ensure your team understands how to achieve NIST 800-171 compliance long term.

6. Document Gaps and Create a Plan of Action and Milestones (NIST 800-171 Documentation)

After an assessment is performed, there should be documentation of gaps and how remediation will begin, which is captured in a Plan of Action and Milestones (POAM). The POAM details tasks and milestones for compliance (basically a listing of gaps and your plan for remediation with commitments on a timeline).

7. Develop a System Security Plan (NIST 800-171 Documentation)

Additional documentation includes your System Security Plan (SSP), which demonstrates how your organization meets the requirements. The SSP is an evolving plan that is provides valuable guidance on how your organization handles cybersecurity. The SSP acts as your roadmap for meeting the requirements as well as any deficiencies and plans to address them. It details system boundaries, system interconnections, and key devices. The SSP should be easily understood, clearly stated, and specific so that each control is defined as implemented, has a plan for implementation, or not applicable. The SSP should be updated frequently as a living document depicting your organization’s level of NIST 800-171 compliance and cybersecurity plan.

8. Undertake Remediation

After you have defined your weaknesses (POAM) and how your organization handles security (SSP) to meet NIST 800-171 compliance, start working on remediation.

9. Consider a NIST 800-171 Audit

While not required, we recommend a NIST 800-171 audit to validate compliance and identify any deficiencies during or at least post remediation. Ongoing audits or reviews will help keep your plan updated and help with ongoing NIST 800-171 compliance.

10. Keep up with NIST Compliance and Incident Reporting

Remember that ongoing compliance is needed, as there is a requirement to rapidly respond to an incident. If there is an incident, you need to evaluate the situation through a thorough review, collect data, and resolve the incident. Incidents must be rapidly reported to DoD.

NIST SP 800-171 Compliance Consultant

If you need help getting started, it will save time and budget to use a consultant to assist with the initial assessment. ITG is a knowledgeable and experienced Consultant in Cybersecurity Compliance and Information Assurance practices, including industry standards such as the International Organization for Standardization’s (ISO) – ISO/IEC 27001:2013 – Information Security Management Systems and NIST cybersecurity requirements, the 800 series, and the Risk Management Framework.

Our team can assist with your assessment and remediation by mapping your existing policies and controls to evaluate compliance with NIST 800-171 requirements:

  • A compliance mapping NIST 800-171 detailing weaknesses and conformance (step 5)
  • A risk assessment of your processes, systems, and assets against NIST 800-171 specific controls (step 5)
  • A POAM detailing tasks and milestones for compliance (step 6)
  • A System Security Plan demonstrating how your organization meets the requirements (step 7)
  • An audit to validate compliance and identify any deficiencies (step 9)

Need more information about NIST and how to achieve compliance?

Contact us for a free preliminary assessment to understand your gaps and deficiencies related to NIST 800-171 compliance.





What is NIST 800?

NIST 800 is a series of documents that relate to the federal government computer security policies, procedures and guidelines. This includes cyber security, system requirements, and information security policies. NIST 800 is often used to reference NIST 800-53 or Special Publication NIST 800-171, which is in response to Executive Order 13556.

When is the DFARS 252.204-7012 required?

They were required to be implemented by December 31, 2017. However, this is a DFARS requirement that is specific to a contract that contains CUI. If your organization has not had access to CUI, then this may be a new requirement. If you are past due in meeting this requirement or have a new contract with this clause, then you will need to start on your path towards NIST 800-171 compliance immediately.

What is NIST 800-171?

NIST 800-171 is the guideline for protecting Controlled Unclassified Information outside of a federal agency or system. NIST 800-171 compliance is mandatory for organizations that hold controlled unclassified information within an internal system or a system in which they maintain control or oversight. This includes email, file sharing, etc. and, includes the storage, access, transfer, or governance of information that, while not classified, must be controlled due to its sensitivity.

How do I become NIST 800-171 compliant?

NIST 800-171 compliance requires an understanding of what information is considered to be CUI and identification of the systems as well as parties that have access to this data. An organization ultimately needs to understand the NIST 800-171 requirements. Our qualified NIST Consultants can show you how to successfully prepare for, and achieve compliance with the NIST Standards, and strategically support your information security goals and objectives.

As practitioners and NIST subject matter experts, our team brings a unique capability of technical understanding, implementation and application practice; and operational management that provides our partners with exceptional support for their mission and Federal customer mandates.

Our team of consultants and information security practitioners comprehend the operational and technological requirements of the latest DFARS 252.204-7012 mandate requiring compliance with NIST Special Publication 800-171 (NIST Standards) for contractors that access and process controlled unclassified information (CUI) or covered defense information (CDI). As a Federal Contractor too, our team understands the necessity in maintaining information to technical and compliance controls. Our clients look to our Information Security Consultant Services for valued support of their key initiatives in the areas of information security and cyber threats.

What is CUI?

CUI is Controlled Unclassified Information. Executive Order 13556 established the CUI program, which is a system that standardizes and simplifies the way unclassified information should be handled. Information that is not classified but is sensitive should be safeguarded through well-defined controls that are consistent with applicable laws, regulations, and government-wide policies to protect the release or dissemination of information from unintended access or use.