Background

NIST 800-171 outlines specific requirements that any non-federal computer system must follow to protect Controlled Unclassified Information (CUI) that is stored, processed, or transmitted throughout the system. CUI is defined as information that does not carry classified status but needs to be safeguarded due to government policies and laws or ordinances. Organizations that handle CUI must be NIST 800-171 compliant to secure federal contracts, including contracts with the Department of Defense (DoD), NASA, and the General Services Administration (GSA).

NIST 800-171 consists of the following 14 control domains that contain 110 security requirements:

  • Access Control
  • Awareness & Training
  • Audit & Accountability
  • Configuration Management
  • Identification & Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Risk Assessment
  • Security Assessment
  • System & Communications Protection
  • System & Information Integrity

 

NIST 800-171 requirements are broken down into two categories, administrative and technical.

Administrative regulations are actions organizations must take to prevent incidents from occurring, including reporting vulnerabilities, hardware maintenance, and regularly reviewing workflow procedures.

Technical regulations are the cybersecurity and access control steps a company needs to take to protect the digital data that is stored or that can be transferred across the Internet.

Achieving NIST 800-171 Compliance

There is no designated certification body or an official audit to determine NIST 800-171 compliance. Organizations need to self-assess against the 110 requirements.

Organizations that contract with the DoD will use a point-based system to demonstrate compliance. A point is gained for each of the 110 requirements the organization meets. Points are lost for each requirement that does not have a corresponding control fully implemented.

For any requirements that aren’t met, the organization should create Plans of Action and Milestones (POA&M). A POA&M details how existing gaps will be addressed, and it must include deadlines for when the appropriate controls will be implemented.

DoD contractors also need to provide a System Security Plan (SSP) that includes a detailed description of their IT system and security policies and procedures.

Benefits of NIST 800-171 Compliance

Meeting all the requirements of NIST 800-171 ensures your organization will have the policies and procedures in place to protect sensitive data, protect against cyber incidents, and respond and recover faster if an event does occur. Your NIST 800-171 compliance will meet the qualifications to secure contracts with federal agencies. It will also demonstrate to other potential partners that you have taken significant steps to protect sensitive data, potentially differentiating your organization from the competition.

The Cybersecurity Maturity Model Certification (CMMC) is based on the NIST 800-171 controls. For organizations looking to secure DoD contracts, adhering to 800-171 requirements will enable easier CMMC certification. NIST 800-171 compliance also means your organization would be compliant with the Defense Federal Acquisition Regulation Supplement (DFARS) and Federal Information Security Modernization Act (FISMA).

How We Can Help

CompliancePoint’s team of cybersecurity experts offers decades of experience your organization can leverage. We can help design and implement controls that will meet the requirements of whichever NIST standard is the right fit for you. Once implemented, we can help manage your security program on an ongoing basis to ensure continuous compliance.

Background

NIST 800-171 outlines specific requirements that any non-federal computer system must follow to protect Controlled Unclassified Information (CUI) that is stored, processed, or transmitted throughout the system. CUI is defined as information that does not carry classified status but needs to be safeguarded due to government policies and laws or ordinances. Organizations that handle CUI must be NIST 800-171 compliant to secure federal contracts, including contracts with the Department of Defense (DoD), NASA, and the General Services Administration (GSA).

NIST 800-171 consists of the following 14 control domains that contain 110 security requirements:

  • Access Control
  • Awareness & Training
  • Audit & Accountability
  • Configuration Management
  • Identification & Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Risk Assessment
  • Security Assessment
  • System & Communications Protection
  • System & Information Integrity

NIST 800-171 requirements are broken down into two categories, administrative and technical.

Administrative regulations are actions organizations must take to prevent incidents from occurring, including reporting vulnerabilities, hardware maintenance, and regularly reviewing workflow procedures.

Technical regulations are the cybersecurity and access control steps a company needs to take to protect the digital data that is stored or that can be transferred across the Internet.

Achieving NIST 800-171 Compliance

There is no designated certification body or an official audit to determine NIST 800-171 compliance. Organizations need to self-assess against the 110 requirements.

Organizations that contract with the DoD will use a point-based system to demonstrate compliance. A point is gained for each of the 110 requirements the organization meets. Points are lost for each requirement that does not have a corresponding control fully implemented.

For any requirements that aren’t met, the organization should create Plans of Action and Milestones (POA&M). A POA&M details how existing gaps will be addressed, and it must include deadlines for when the appropriate controls will be implemented.

DoD contractors also need to provide a System Security Plan (SSP) that includes a detailed description of their IT system and security policies and procedures.

Benefits of NIST 800-171 Compliance

Meeting all the requirements of NIST 800-171 ensures your organization will have the policies and procedures in place to protect sensitive data, protect against cyber incidents, and respond and recover faster if an event does occur. Your NIST 800-171 compliance will meet the qualifications to secure contracts with federal agencies. It will also demonstrate to other potential partners that you have taken significant steps to protect sensitive data, potentially differentiating your organization from the competition.

The Cybersecurity Maturity Model Certification (CMMC) is based on the NIST 800-171 controls. For organizations looking to secure DoD contracts, adhering to 800-171 requirements will enable easier CMMC certification. NIST 800-171 compliance also means your organization would be compliant with the Defense Federal Acquisition Regulation Supplement (DFARS) and Federal Information Security Modernization Act (FISMA).

How We Can Help

CompliancePoint’s team of cybersecurity experts offers decades of experience your organization can leverage. We can help design and implement controls that will meet the requirements of whichever NIST standard is the right fit for you. Once implemented, we can help manage your security program on an ongoing basis to ensure continuous compliance.

Our assessors and consultants are experts on the government standard for NIST compliance. Our comprehensive assessments let you identify areas of risk and implement defined security controls to meet NIST standards.