What is NIST 800-171?

Your organization can’t afford to lose valuable government contracts. Protect your business by bolstering your organization’s ability to comply with NIST800-171.

Government contracts are highly lucrative, but also tough to secure and manage. That’s because the Federal Government deals with a lot of classified and controlled information on a day-to-day basis. Any contractors or subcontractors who wish to work with the Federal government must, therefore, have security procedures in place to protect that sensitive information.

National Institute of Standards and Technology (NIST) 800-171 is a mandate that states that federal contractors and subcontractors that handle, transmit, or store controlled unclassified information (CUI) must comply with certain standards to protect that data. Compliance with NIST 800-171 is required under Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012.

What is Controlled Unclassified Information (CUI)?

CUI is information created or owned by the government that is unclassified, but still very sensitive. As such, it is required that this information be safeguarded from unauthorized exposure. CUI may be in the form of electronic files, emails (or email attachments), blueprints, and more.

The CUI designation was established via an Executive Order in 2010, formalizing the way in which this information is managed and regulated. The National Archives and Records Administration (NARA) operates a CUI Registry with organizational index groupings and CUI categories, outlining all the different types of information that falls under the CUI designation.

What’s Included in NIST 800-171?

In total, NIST 800-171 lists more than 100 different security requirements within 14 control categories:

  • Access Control: Requirements related to who has access to business computers and networks, and what types of information different roles are able to access.
  • Awareness and Training: Relates to an organization’s ability to understand and identify security threats.
  • Audit and Accountability: Requires that an organization sets up user accounts and a structure to restrict access to auditing systems and functions to only administrators and IT personnel.
  • Configuration Management: Limits a user’s ability to update security settings or install unapproved software on computers which access an organization’s network.
  • Identification and Authentication: These controls regulate password requirements and multifactor authentication systems.
  • Incident Response: Requires an organization to design a set of procedures for handling systems issues, and train personnel to report security incidents to administrators and managers.
  • Maintenance: Requirements related to removing sensitive data from equipment that needs to be sent out for repair, and ensuring removable media is scanned for malicious software.
  • Media Protection: This set of controls regulates how an organization marks CUI, transfers CUI on/off removable media, and encrypts CUI on removable media.
  • Personnel Security: Controls regarding disabling and deleting user accounts after employees are terminated or transferred.
  • Physical Protection: Outlines the proper use of surveillance and security measures to monitor physical facilities.
  • Risk Assessment: Requires organizations to perform routine risk assessments and updates procedures accordingly.
  • Security Assessment: Requires organizations to perform routine reviews of security measures and create a plan to track vulnerabilities.
  • System and Communications Protection: Outlines the required use of encryption tools and requirements for segmenting system networks into separate portions.
  • System and Information Integrity: Controls related to an organization’s ability to monitor systems and identify threats.

What is the difference between CMMC and NIST 800-171?

NIST 800-171 is a voluntary framework that relies on self-attestation of adherence. Unfortunately, over the past few years, it’s been found that an alarming number of contractors are deficient in their management and implementation of NIST 800-171.

The Cybersecurity Maturity Model Certification (CMMC) is a program created to audit compliance with NIST 800-171. The government has tried to implement other rules requiring the NIST 800-171 self-assessment but have struggled with adoption due to limited enforcement —  the most recent attempt is via the DFARS Interim Rule.  This rule specifies that all contractors (prime contractors and subcontractors) to post a current assessment into the Supplier Performance Risk System (SPRS) as a requirement to submitting bids with the DoD.  The purpose of the DFARS Interim Rule is to increase the protection of unclassified information within the DoD supply chain.

With CMMC, the goal is to provide a verification mechanism to ensure cybersecurity controls and processes adequately protect CUI that resides on Defense Industrial Base (DIB) systems and networks. CMMC goes beyond what’s included within NIST 800-171, requiring additional cybersecurity practices and controls.

It is expected that by 2026 all DoD contracts will require CMMC.

What Happens if I Don’t Comply with NIST 800-171?

As of 2019, the government has the authority to audit contracted organizations for NIST 800-171 compliance at any time. Proper compliance is therefore essential in order to continue working with the Federal Government. Failure to comply with NIST 800-171 could result in:

  • Failure to obtain new government contracts
  • A loss of current contracts
  • Removal from the DoD’s Approved Vendor list

How Can I Become NIST 800-171 Compliant?

As stated above, NIST 800-171 involves a self-assessment process. Professional auditors, like A-LIGN, can assist your organization through that process, by assessing your company’s controls against the published controls in NIST 800-171.  If your organization is looking to complete a NIST 800-171 self assessment, our auditing experts will help you to complete the NIST 800-171 assessment that is required by the DFARS Interim Rule to satisfy the DoD requirements for protecting CUI.

Our experts understand the nuances of NIST control elements and are familiar with a range of federal compliance mechanisms including NIST 800-53 and FedRAMP. With our breadth and depth of knowledge related to the federal compliance landscape, you can feel confident in your organization’s ability to meet the security requirements outlined by the Federal Government.

Want to learn more? Contact an NIST 800-171 expert at A-LIGN today.