Is your business providing services to government entities, universities and research centers that receive federal funding? Or are you a contractor for the Department of Defense? This compliance could apply to you. NIST 800-171 (National Institute of Standards and Technology Special Publication 800-171) cybersecurity standards is a compliance that must be met by every organization that handles or stores sensitive, unclassified data on behalf of the US government. 


This compliance establishes requirements for protecting sensitive data on the IT networks and systems used by federal contractors. The resilience of the whole federal supply chain is increased by mandating government contractors to use best-practice cybersecurity procedures.


The focus of this compliance? Controlled Unclassified Information (CUI) protection is the emphasis of NIST 800-171, which aims to assure the security and protection of such sensitive government data on contractors’ networks.


Contractors managing CUI on their networks are required under contract to comply with NIST 800-171, and these businesses are expected to perform self-assessments to establish and maintain compliance. Therefore, it’s crucial that the requirements are properly comprehended and evaluated.



What is NIST 800-171 and what is its purpose?


The publication NIST 800-171 describes the security requirements for non-federal companies that handle CUI on their networks. The National Institute of Standards and Technology (NIST), a US government organization that has developed a number of standards and publications to increase cybersecurity resilience in both the public and private sectors, originally published it in June 2015. Regular modifications to NIST 800-171 have been made in response to new cyberthreats and developing technology. In February 2020, the most recent version (Revision 2) was made public.


NIST 800-171’s cybersecurity standards are created to protect CUI in the IT networks of federal contractors and subcontractors. It outlines the standards and guidelines that government contractors must follow while processing or storing CUI on their networks. Only the areas of a contractor’s network where CUI is present are covered under NIST 800-171.


NIST 800-171 improves the security of the entire federal supply chain by establishing the cybersecurity standards for contractors who handle sensitive government information. It guarantees a common minimum level of cybersecurity for all contractors, as well as each of their individual subcontractors, who have access to CUI.



We keep talking about CUI, but what is it?


Information that belongs to or was produced by the government and is sensitive but not classified is known as Controlled Unclassified Information (CUI). This could contain technical data, patents, or details on the production or purchase of goods and services. Governmental organizations release lists of pertinent categories and detailed explanations of CUI.


Although CUI is not regarded as classified information, compromises of such sensitive information can nonetheless have a negative impact on both national security and the economy. Due to this, information breaches brought on by noncompliance with NIST 800-171 regulations may result in contract termination, legal action, financial penalties, and reputational harm.



What security measures are provided by NIST 800-171 for CUI? 


Each of the 110 standards in NIST 800-171 addresses a distinct aspect of an organization’s IT technology, policy, or procedures. Access control, system configuration, and authentication processes are all covered by requirements. They also lay out the specifications for incident response strategies and cybersecurity protocols.


Each requirement strengthens an element of the network or reduces cybersecurity vulnerabilities, and it is accompanied by extensive “discussion” text that explains the requirement’s broader context. By putting each criteria into practice, organizations can make sure that their workers, network, and systems are ready to handle CUI safely.



14 Requirement Families of NIST 800-171


14 families make up the 110 security requirements in NIST 800-171. Each requirement family includes the requirements pertaining to the family’s overall security theme. These divisions are made to make it simple for an organization to implement and evaluate how well the standards are being followed.


Here are the 14 requirements families of NIST 800-171:



Access Control


This family of requirements relates to network, system, and data access. To ensure that only authorized users have access to the system, 22 distinct requirements are used. Additionally, requirements protect the network’s critical data flow and offer instructions for network equipment.



Awareness and Training


The ‘Awareness and Training’ part is divided into three distinct requirements. A requirement is that staff members be trained to perform security-related responsibilities and that system administrators and users are aware of security dangers and related cybersecurity processes.



Audit and Accountability


This family of requirements, which concentrates on auditing and studying system and event logs, consists of nine criteria. To enable analysis and reporting based on best practices, the requirements concern the recording and preservation of trustworthy audit records. Cybersecurity events can be found and reduced with regular system security log inspection.



Configuration Management


The right setup of hardware, software, and devices across the system and network of the company is covered by nine requirements. This group of specifications also emphasizes limiting non-essential programs and avoiding unwanted software installation.



Identification and Authentication


Only users who have been authenticated are allowed access to the organization’s network and systems thanks to this set of requirements. 11 standards address user identification with confidence as well as password and authentication policies and procedures. Requirements make sure that network access reflects the difference between privileged and non-privileged accounts.



Incident Response


The ability of the company to respond to serious cybersecurity incidents is addressed by three requirements. The specifications guarantee that protocols are in place to identify, stop, and recover from a variety of incidents within the company. This entails appropriate instruction, preparation, and capability testing on a regular basis.





The best practices for system and network maintenance are shown by six requirements. Regular system maintenance is part of this, as is ensuring that any external maintenance is secure and authorized.



Media Protection


Managing access to critical media is made easier for enterprises by nine security requirements. The storage or deletion of sensitive data and media in both physical and digital versions must follow best practices.



Personnel Security


The safeguarding of CUI in regard to personnel and workers is covered by two security requirements. The first discusses the requirement for security screening of users before granting access to CUI-containing systems. The second makes ensuring CUI is safeguarded during personnel changes or terminations, including the return of keys, equipment, or other items.



Physical Protection


Six security requirements, including the management of visitor access to work sites, deal with physical access to CUI within the company. Equipment, devices, and hardware must also be restricted to approved employees.



Risk Assessment


The execution and analysis of routine risk assessments are covered by two requirements. Organizations must do routine vulnerability scans on their systems to keep network hardware and software secure and up to date. The security of the overall system is increased by consistently identifying and addressing flaws.



Security Assessment


The development, maintenance, and renewal of system controls and security plans are covered by four requirements. Vulnerabilities throughout the organization are highlighted and strengthened by routinely examining security protocols. This guarantees that CUI safety measures are still functional.



System and Communications Protection


16 requirements address system monitoring, system security, and information transmission. The prevention of unlawful information transfer and the default denial of network communication traffic are requirements. In order to protect CUI, requirements also incorporate best practice cryptography policies.



System and Information


Monitoring and continuing system security are two of the Integrity Seven requirements for the organization. Processes for spotting illegal system use and keeping an eye on system security alerts fall under this category.


Who has to comply with NIST 800-171?


Departments of the US government depend on a variety of outside institutions and service providers to run. Numerous of these crucial services include the processing and storage of private data on the IT networks of contractors. Additionally, NIST 800-171 must be followed by these organizations that handle or send CUI as part of their contract with the US government.


When cooperating with US government agencies, common organizations that may require NIST 800-171 compliance include:


  • Defense contractors
  • Organizations providing financial services
  • Web and communication service providers
  • Healthcare data processors
  • Systems Integrators
  • Colleges and universities that utilize federal data or information
  • Research institutes and labs receiving federal grants and information


Compliance with NIST 800-171 for Defense Contractors 


A points-based system is used by contractors who process CUI for the Department of Defense (DoD) to prove their compliance with NIST 800-171. This procedure entails evaluating one’s compliance with each of the 110 requirements listed in NIST 800-171 and scoring one’s self against those requirements. Up to 110 points can be earned by organizations for each requirement that is fully completed, while unimplemented or partially implemented requirements result in weighted penalty points (ranging from -1 to -5) being deducted. Final ratings must be reported prior to contract award or renewal; they are registered in the DoD’s Supplier Performance Risk System (SPRS).


A System Security Plan (SSP) is another requirement for defense contractors to provide as proof of NIST 800-171 compliance. The SSP offers a thorough overview of the IT network of a firm, including its hardware, software, security procedures, and policies.


A Plan of Actions and Milestones (POAM) document should include a statement about any NIST 800-171 standards that a DoD contractor has not met. Before the contract starts, the POAM, which outlines important deadlines and timescales for achieving complete compliance, must be presented. As the organization resolves areas of non-compliance and as their cybersecurity policies advance, the POAM can be updated.


The DoD requires that the SSP and any associated NIST 800-171 POAM be uploaded and updated in SPRS as they are both essential proofs of compliance.


The significance of NIST 800-171 compliance: “For DoD contractors, the ultimate goal is CMMC certification. And for those defense companies who handle CUI on their networks, accurate and ongoing NIST 800-171 compliance will be the bridge to CMMC success.”



NIST 800-171 Checklist and Recommended Practices


Self-assessment is used to demonstrate conformity with NIST 800-171. It can be challenging to meet the 110 standards that firms must adhere to in order to be in compliance. Nevertheless, carrying out a NIST 800-171 examination follows a specific procedure.


The eight steps for performing a NIST 800-171 self-assessment are as follows:


  1. Assemble an assessment team with senior information security stakeholders’ feedback.
  2. Create an assessment strategy with a timetable and goals.
  3. Launch a campaign for internal communication to raise awareness of the project.
  4. Compile a list of contacts for staff members with pertinent duties, such as system administrators and information security experts.
  5. Gather pertinent papers, such as current security policies, system records and manuals, prior audit results and logs, admin guidance documents, and documents describing system design.
  6. Examine each requirement listed in the NIST 800-171 publication and note your findings.
  7. Draft a plan of action outlining how any requirements that aren’t met will be satisfied.
  8. Add all supporting documentation to a System Security Plan (SSP) document.



Preparing for a NIST Assessment


The NIST 800-171 self-assessment is challenging because it examines every component of a company’s network and security systems that interact with CUI. Because of this, preparedness is essential.


The executive in charge of cybersecurity policies and the core leadership team should both provide advice when putting together the assessment team. An assessment plan that defines the project’s timeline, objectives, and scope should be made before getting started.


Here are the five steps to getting ready for a NIST assessment:


  1. Compile the current security guidelines and practices.
  2. Make contact with important parties involved in information security.
  3. Determine the assessment’s beginning and ending points.
  4. Gather relevant data and past audit findings.
  5. Let everyone in the organization know about the initiative.



It can take a lot of time and effort to evaluate each of the 110 requirements. Finding the ideal NIST assessment instrument to automate audit components has to be a top priority. With the right cybersecurity partner, NIST assessment will be seamless, you just have to find the perfect company to assist you with. Here at Intelecis, we will make sure your NIST journey is easy. Contact us today to start improving your NIST compliance preparation for your business.