{ "@context": "https://schema.org", "@type": "FAQPage", "mainEntity": [ { "@type": "Question", "name": "What is NIST 800-171 Compliance?", "acceptedAnswer": { "@type": "Answer", "text": "NIST 800-171 regulates practices and procedures that must be followed to safeguard the control of Controlled Unclassified Information (CUI) — both physical and digital — that companies of the Defense Industrial Base (DIB) have access to. These guidelines were originally published in 2015 by the National Institute of Standards and Technology (NIST) and are updated regularly to reflect the changing cybersecurity landscape." } }, { "@type": "Question", "name": "How does NIST 800-171 relate to CMMC?", "acceptedAnswer": { "@type": "Answer", "text": "If NIST 800-171 is the standard, CMMC is how you get there. \n\nEnforcement of NIST 800-171 began in 2018, but there was a low rate of compliance across the DIB in subsequent years. To combat that, the DoD created CMMC (Cybersecurity Maturity Model Certification) — a tiered approach that audits and outlines the steps and levels of obtaining base cybersecurity. Based heavily on NIST 800-171 and other cybersecurity standards, CMMC requires documentation of process and procedures as well as management and review of cyber events and verification by a third-party auditor to confirm compliance. " } }, { "@type": "Question", "name": "Who does NIST 800-171 apply to?", "acceptedAnswer": { "@type": "Answer", "text": "Both primary and subcontractors working with the DoD or for another federal agency are now required to meet NIST 800-171 compliance standards. Previously, only companies who directly held contracts with the DoD or federal agencies were required to meet cybersecurity compliance standards. However, as cyberattacks began targeting subcontractors for these organizations, the need for third-parties and their affiliates to meet the same standards became increasingly critical. " } }, { "@type": "Question", "name": "How does my business prepare to become NIST compliant?", "acceptedAnswer": { "@type": "Answer", "text": "The best place to start is to assess where your business currently stands with NIST 800-171 regulations. Comparing the processes and practices outlined in the official NIST 800-171 publication against what your business currently does for cybersecurity can help give you a good sense of what else is needed or what needs to change in order to meet NIST compliance. Taking special attention to look at your documentation efforts, which controls are followed, and how your CUI is managed and accessed can help set you on the course to compliance. " } } ] }

What is NIST 800 171 Compliance?

To best answer the question, “What is NIST 800 171 compliance?” requires a deep dive into its practices. We’re going to explore how this protocol separates itself from other cybersecurity measures, what steps you must take to be ready, and how our NIST compliance checklist can help get you started.

What is NIST 800 171 Compliance?

NIST 800 171 provides companies, employees, and contractors with requirements outlined by the National Institute of Standards and Technology for various reasons: compliance with the Department of Defense (DoD) and its Defense Federal Acquisition Regulation Supplement (DFARS), defense against cybersecurity incidents, and protecting CUI (controlled unclassified information) and other sensitive data.

What is NIST 800 171 Compliance?

The NIST special publication 800 171 (NIST SP 800 171) details the standards and protocols that help organizations that process sensitive unclassified information and protect and monitor their data. NIST 800 171 is a contractual obligation for businesses handling CUI, and compliance is mandatory to safeguard data from breaches, information security leaks, or cybersecurity threat actors.

NIST 800 171 compliance also helps prepare for CMMC certification and compliance, a critical component for contractors wanting to conduct business with the DoD and federal agencies that require a high level of cybersecurity protocols.

What is NIST 800 171 Compliance?

What is the difference between NIST 800 171 rev 1 and NIST 800 171 rev 2?

NIST 800 171 rev 1 is drawn from basic controls of NIST’s Cybersecurity Framework (CSF) and Federal Information Processing Standards Publications (FIPS) 199 and 200. It covers the 14 security topics of the family requirements and its 110 security controls.

 

NIST SP 800 171 revision 2 (NIST SP 800 171 Rev. 2) protects controlled unclassified information within non-federal organizations, networks, and systems by setting recommended security requirements. Those requirements govern the protection of CUI (i.e., sensitive data such as health information, IP data, and critical infrastructure). 

What is NIST 800 171 Compliance?

NIST 800 171 controls

NIST 800 171 requirements detail the following controls essential for non-federal organizations’ cybersecurity policies and practices. Compliance with NIST is necessary for all contractors for the Department of Defense and U.S. government agencies to maintain cybersecurity compliance. 

Non-compliance or failure to comply with NIST 800 171 standards mean losing federal contracts and status as DoD contractors.

To demonstrate compliance with NIST and cybersecurity standards, define assessment objectives, and suggest potential assessment methods and objects, NIST SP 800 171a offers 110 protocols housed within 14 general security topics mentioned below.

What is NIST 800 171 Compliance?

NIST 800 171 controls 

1. Access Controls

Determine who has data access and authorization

 

2. Awareness and Training

Provide personnel (employees and government contractors) with adequate CUI handling and training  

 

3. Audit and accountability

Monitor access to sensitive information and who is responsible for security policies associated with CUI

 

4. Configuration management

Ensure employees, contractors, and subcontractors adhere to cybersecurity policies and achieve compliance

 

5. Identification and authentication

Manage and audit any and all instances of CUI within the organization and with contractors.

What is NIST 800 171 Compliance?

NIST 800 171 controls (continued)

6. Incident response

Prepare a system security plan (SSP) for potential security breaches and cybersecurity hazards regarding CUI

 

7. Maintenance

Ensure ongoing security and change management to safeguard CUI

 

8. Media protection

Implement information security for external drives, backups, and equipment

 

9. Physical protection

Authorize proper personnel (including contractors and subcontractors) to access physical spaces that transmit CUI

 

10. Personnel security

Prepare staff and contractors to identify and minimize internal security risks through best practices, standards, and guidelines

What is NIST 800 171 Compliance?

NIST 800 171 controls (continued)

 

11. Risk assessment

Conduct testing and create CUI compliance analysis

 

12. Security assessment

Verify that requirements related to the general security procedures are set and operational

 

13. System and communications protection

Shield all channels and networks

 

14. System and information integrity

Implement technical solutions for vulnerabilities and analyze, prevent, and mitigate system downtime

What is NIST 800 171 Compliance?

NIST 800 171 checklist

 

If you require NIST 800 171 compliance and need a NIST assessment, here’s our NIST 800 171 compliance checklist to help you meet cybersecurity requirements and prepare for your organization’s CMMC compliance needs.

 

Determine Scope

Find out what you need to stay compliant with NIST SP 800 171 – additional training for your staff, detailed self-assessments, contract clauses with subcontractors and their compliance levels, and the process of handling sensitive CUI. 

 

Document

Meeting all controls and requirements is crucial for compliance with NIST SP 800 171 inspections and DOD NIST 800 171 scoring assessments, and this can only be done through careful record-keeping. To prepare for an audit, have records from various domains available for review: system and network architecture, data flow, personnel, processes and protocols, and future modifications

 

Conduct gap analysis and review

If you need to ensure complete compliance requirements within NIST 800 171, you must analyze and review any areas where your current practices fall short. Pay special attention to access control requirements and note any shortcomings or flaws in your existing systems. These issues should be documented and addressed through the Plan phase. 

 

Plan

Create a NIST-compliant comprehensive system security plan (SSP), including a remediation plan if CUI is compromised, and record it correctly. Document your procedures to prepare for a NIST 800 171 compliance audit that will meet your SSP and CUI retention standards. Finally, establish a Plan of Action and Milestones (POA&M) to maintain project progress. 

 

Audit

Collect relevant documentation and evidence to support your NIST compliance audit. Identify the specific requirements you will address from the 14 criteria listed in NIST 800 171. When implementing measures to comply with these requirements, creating an audit trail to demonstrate the actions taken and ensure accountability is crucial. 

Let’s move on to our NIST SP 800 171 checklist and step by step instructions.

Download our free NIST 800 171 implementation guide

Need a refresher to help prepare you for NIST 800 171 compliance (and subsequently CMMC compliance)? 

Click the button below to get ready.

What is NIST 800 171 Compliance?

Need help with NIST SP 800 171 compliance best practices?

You, your company, and your contractors must have NIST 800 171 certification to meet the requirements of maintaining secure and compliant cybersecurity practices.

 

There are many types of compliance, but NIST 800 171 control families also help prepare companies to be CMMC compliant

 

The security requirements of NIST 800 171 are also essential for CMMC 2.0 compliance, especially with CMMC Level 3, which consists of 110 NIST controls. (Learn more about CMMC vs NIST 800 171 here.)

 

With the help of an experienced NIST partner, you can conduct thorough compliance assessments and audits, establish a concrete SSP,  and implement a systematic review that helps you tick off the boxes of your NIST 800 171 checklist.

 

Hyper Vigilance offers complete and effective managed compliance services tailored to your business needs.

What is NIST 800 171 Compliance?

FAQs

How many controls are in NIST 800 171?

There are 110 NIST controls that fall under 14 family categories. Each individual family contains the requirements related to NIST 800 171 controls regarding technology, policy, and procedures (such as authentication processes, system configuration, and handling of controlled access). Failure to comply with NIST standards means losing federal contracts.

What is the difference between NIST 800 171 and NIST 800 171a? 

The NIST 800 171a policy outlines the evaluation methods for the security demands stated in NIST 800 171. These assessment procedures offer flexible assessment procedures for the CUI requirements. They consist of an assessment objective, a determination statement(s), and suggested assessment methods and objects to secure CUI. 

ISO 27001 vs NIST 800 171, what’s the difference?

Although NIST 800 171 is exclusively tailored to non-government organizations and has its own recommendations to protect controlled unclassified information. ISO 27001 is a broader standard relevant to any institution and is the international standard for infosec, helping companies by addressing people, processes, and technology.

What do I need to comply with NIST 800 171?

Clear an audit by a certified cybersecurity expert to adhere to NIST 800 171 compliance.

Before undergoing an audit, perform a self-assessment to determine what requirements you meet, what you need to implement, and what system security plan (SSP) you have in place should a breach occur.

What is DFARS NIST 800 171?

These are two separate concepts with some overlap. 

The Defense Federal Acquisition Regulation Supplement (DFARS) ensures that contractors working with the DoD handle all unclassified and classified information appropriately. 

NIST 800 171 deals with handling controlled unclassified information (CUI) to remain compliant with federal, DoD, and CMMC standards. 

What is SPRS and its relation to NIST 800 171?

You must know your DoD Supplier Performance Risk System (SPRS) score if you’re handling CUI. Self-assessment and a third-party verification must arrive at the same score. (Think of it as a report card grade that tells the DoD how well your business and contractors comply with NIST SP 800 171.) 

Hyper Vigilance was the right choice to guide us through the cybersecurity process as we attempt to grow the business. They provide excellent service and we continue to look forward to working with the Hyper Vigilance team. We are very grateful for how they simplified the entire process and the efficiency during the transition to a secure platform!
Hyper Vigilance moved us from negative NIST score to almost full compliance in less than 1 month. The team is experienced, quick, efficient and works to find the best solution to maintain business operations while keeping security at maximum level. Communication and issue resolving is fast. Highly recommended.
Hyper Vigilance moved us from negative NIST score to almost full compliance in less than 1 month. The team is experienced, quick, efficient and works to find the best solution to maintain business operations while keeping security at maximum level. Communication and issue resolving is fast. Highly recommended.