NIST 800-171 compliance refers to a set of requirements for non-federal computer systems storing and processing Controlled Unclassified Information (CUI): government-created or owned information that requires safeguarding.
That newly-acquired government contract makes compliance with NIST 800-171 a requirement for your company, but what is the first step towards achieving it?
Clearly understanding what NIST 800-171 is (and isn't) before embarking on the steps to become compliant is key to the long-term success for your organization.
NIST SP 800-171 refers to the National Institute of Standards and Technology Special Publication 800-171. This publication governs requirements for Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations.
The layperson definition of NIST 800-171 is:
"A set of standards that define how to safeguard and distribute material deemed sensitive by a government body, but not classified."
Accurate record keeping and strict data handling protocols are clear priorities when the stakes are so high, opening doors for new business opportunities with the government.
Here's how the system works...
Why NIST 800-171 Compliance Matters: an Overview
The steps required to make your company NIST 800-171 compliant shouldn’t be considered as obstacles or hurdles to overcome, but rather as goals to be achieved. To play a role in federal government supply chains, NIST 800-171 is a key part.
It matters to your company because it equates to new streams of revenue that would not be attainable otherwise while allowing you to enter the world of government contracts.
Understanding and complying with NIST 800-171 policies means your company has demonstrated the ability to fulfill its role of protecting the confidentiality of CUI.
How NIST SP 800-171 Came To Be
In December 2002, the Federal Information Security Management Act (FISMA) was passed in response to a few well-publicized security breaches that occurred at the U.S. Post Office and National Oceanic and Atmospheric Administration.
NIST 800-171 was established shortly after the passing of that act to clearly define how material that is deemed sensitive, but not necessarily classified, must be protected and distributed.
On Dec 31, 2017, a revised set of rules for NIST was established requiring any company that worked with CUI for government agencies, such as the Department of Defense (DoD), to implement security measures on non-federal technology systems.
Prior to these requirements, there were challenges with the uniformity of requirements as every government agency seemed to have their own unique standards for handling and safeguarding material like CUI.
This is no longer the case thanks to NIST SP 800-171 requirements.
Regulations To Know for NIST 800-171 Compliance
If your company enjoys being a component of supply chains associated with government contracts, it also requires compliance with the Federal Acquisitions Regulations (FAR), including the Defense Federal Acquisition Regulation Supplement (DFARS).
The definition of FAR is:
"A collection of principles that “oversees” the government procurement processes; it regulates the purchasing of goods and services by the U.S. government."
Whereas DFARS is:
"A Department of Defense (DoD)-specific supplement that was drafted to accompany FAR regulations. DFARS provides acquisition regulations specific to the DoD."
It's important to keep an eye out for these two regulations as they guide all of the contractual agreements between government bodies and third-party suppliers.
NIST 800-171 Requirements & Control Families
Companies will find that NIST 800-171 lists a number of control measures that define compliance requirements. For example:
Access control, or who has access to certain areas of your company
Media protection, or how your company handles external hard drives
Physical protection, or who has access to the CUI at your company
Awareness and training, or whether your staff is trained for handling CUI
This last point is key as training employees on how to handle CUI is a critical component of successful NIST 800-171 compliance.
This is a neglected part of the process but it shouldn't be.
Many more control families are to be considered to ensure compliance but for the sake of brevity we've highlighted four of the most important examples.
Types of Companies that Require NIST 800-171 Compliance
If your company directly provides products or services to a government agency, then you need to have a plan to become NIST 800-171 compliant. The same holds true if you are indirectly working with a government agency through a middleman.
Essentially, if your company handles CUI to any extent, becoming NIST 800-171 compliant is an essential step.
One resource to consider in determining if compliance is a requirement for your company is highlighted within the abstract of the NIST SP 800-171 R2 document (PDF):
"The requirements apply to all components of nonfederal systems and organizations that process, store, and/or transmit CUI, or that provide protection for such components."
The following types of organizations need to comply with NIST 800-171:
Consulting agencies with federal contracts
Contractors for the Department of Defense (DoD)
Service providers for federal agencies
Manufacturers who supply products to federal agencies
Keep in mind that non-compliance against a set deadline (usually end of year) means immediate contract termination and, possibly, significant sanctions.
Next Steps in Your NIST 800-171 Compliance Journey
It's important to emphasize that mid-size and smaller companies can often be targeted as an easy point-of-access to larger businesses and possibly government agencies, making these companies the ideal victims for “hackers” and other malicious actors.
NIST 800-171 compliance is the best defense mechanism against such activities.
Companies pursuing compliance on their own, without the appropriate expertise and guidance, can find themselves at a significant liability if they approach it in the wrong way.
Encompass Consultants guides companies through the implementation of the intricate control measures required in achieving NIST 800-171 compliance.
Learn more by clicking on the image below.
Originally published Mar 24 2021
Frequently asked questions
1. Who does NIST 800-171 apply to?
NIST SP 800-171 controls apply to federal government contractors and sub-contractors. If you or another company you work with has a contract with a federal agency, you must be compliant with this policy. This is with no exception.
2. How do I become NIST 800-171 compliant?
Encompass Consultants has a NIST 800-171 compliance checklist available for anybody to learn from. Check out our blog to learn more about how to become compliant.
3. What is the difference between NIST 800-53 and 800-171?
The significant difference between NIST 800-53 and 800-171 is that the latter relates to non-federal networks whereas the former applies exclusively to federal ones.