CMMC Certification

What is NIST SP 800-171?

The U.S. Government considers the protection of Controlled Unclassified Information (CUI) in nonfederal systems and organizations is of great importance to the federal agencies. Loss or breach of CUI can directly impact the ability of the agencies to perform its missions and operations.

NIST 800-171 refers to National Institute of Standards and Technology (NIST) Special Publication 800-171, which governs Controlled Unclassified Information (CUI) that is processed, stored, and transmitted in Non-Federal Information Systems and Organizations. It is a standard that defines the security requirements and methods of safeguarding and distributing the material deemed sensitive but not classified by the federal government agencies when:

CUI is resident in nonfederal systems and organizations

No specific safeguarding requirements exist for protecting the confidentiality of CUI by another law or regulation, and

The nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency

The security requirements identified in NIST 800-171 standard are intended for use by federal agencies in contracts and other agreements established between those agencies and nonfederal organizations, such as their subcontractors and partners.

Who is Required to Comply?

DFARS (Defense Federal Acquisition Regulation Supplement) clause 252.204-7012 requires companies and organizations to comply with the NIST 800-171 cyber security standard when they process, store, or transmit CUI. This requirement typically would be found in the Department of Defense contracts. The organizations and companies that are not compliant with this standard would risk losing their DoD contracts.

Simply put, if your company/organization wants to work with the DoD you will have to be NIST 800-171 compliant in case you will find yourself in a situation of receiving or processing CUI.

DFARS also requires contractors and subcontractors to immediately report cyber breaches and incidents (in 72 hours of discovery) to DoD. In case your company is a lower-tier subcontractor your company would also be required to provide the incident report to the higher-tier subcontractor, until the prime contractor is reached.

In summary, every contracting organization must take immediate action to fulfill the requirements if they are not already compliant. The preparation process typically includes in-depth assessment of the current cyber-security posture of the organization and identify the requirements. Thereafter, organization should implement actions that include securing the system access, increasing employee awareness, properly configuring the system security settings, installing/deploying necessary risk analysis and monitoring software, etc.

Failure to comply can result in the termination of active contracts with DoD, fines or penalties resulting from the breach of contract, and rejection from the new contracts.

Download NIST SP 800-171 standard

Download Supplement to NIST SP 800-171 standard

(NIST SP 800-172)


What are the Components of NIST SP 800-171?

The standard has 14 key areas and requirement families. Companies must implement 110 requirements that are outlined in these areas:

  • Access Control (AC)
  • Awareness & Training (AT)
  • Audit & Accountability (AU)
  • Configuration Management (CM)
  • Identification & Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Personnel Security (PS)
  • Physical Protection (PE)
  • Risk Assessment (RA)
  • Security Assessment (CA)
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)

Don’t try to manage it all alone! Linqs  has extensive experience in compliance with the NIST SP 800-171 requirements.

We can assist you by training your employees and developing policy and procedures in addition to providing expert guidance on securing your systems for achieving compliance with NIST SP 800-171 as soon as possible.

Related Posts and News

Rev 3 seems to bring more clarity and streamlined the understanding of the information in Section 1 and Section 2 of the Rev 2. Some of the security requirements and families in Section 3 were modified to reflect and align with the NIST SP 800-53B moderate […]
CMMC-AB (CMMC Accreditation Body) updates the community on its progress in a note submitted to interested parties. Some of the activities, that were undertaken in such a short time since its inception, include the following: CMMC AB has been incorporated as a nonstock corporation in the […]