Understanding NIST SP 800-171 to Ensure Compliance for Your Business

November 17, 2022

If your business handles sensitive government information, it’s imperative you understand what NIST SP 800-171 is and how it impacts your business. Adequate knowledge of NIST 800-171 will help you evaluate your organization’s state of compliance and identify any deficiencies requiring immediate remediation.

What is NIST 800-171?

NIST SP 800-171 is a set of guidelines published by the National Institute of Standards and Technology (NIST) to “ensure that sensitive federal information remains confidential when stored in nonfederal information systems and organizations.”

What is the purpose of NIST 800-171?

The main purpose of NIST 800-171 is to strengthen the whole federal supply chain. The implementation and assessment of the NIST Special Publication (SP) 800-171 is mandatory for any entity and service provider who receives or creates Controlled Unclassified Information (CUI) from or for the U.S. Department of Defense (DOD). 

A broad range of organizations must adhere to this cybersecurity regulation since the exploitation of sensitive data poses a national risk, and also since supply chain attacks are common.

What is the latest version of NIST 800-171?

SP 800-171 was published in June 2015 and since then two minor updates were made — one in December 2016 and another in February 2020. The NIST SP 800 171 Revision 1 (Rev 1) was superseded by the SP 800-171 Revision 2 (Rev 2), which is the current version.

NIST is planning an update with NIST SP 800-171 Revision 3 (Rev 3), but the publication date is yet to be announced.

Who does NIST 800-171 apply to?

NIST 800-171 compliance is mandatory for the following entities:

  • Government contractors
  • Department of Defense contractors (DOD contractors)
  • Service providers processing data for government agencies and federal agencies
  • Any entity with a federal contract
  • Any entity and subcontractor processing federal information
  • Health care data processors
  • Education entities with access to federal data (such as colleges and universities)

What is Controlled Unclassified Information (CUI)?

According to the U.S. National Archives and Records Administration (NARA), Controlled Unclassified Information (CUI) is “information that requires safeguarding or dissemination controls according to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.”

CUI is an umbrella term for information that is not classified as National Security Information but needs some level of protection. Businesses that handle the following information linked to the federal government in any way must comply with the NIST SP 800-171:

  • Electronic and paper documents
  • Intellectual property
  • Emails
  • Proprietary information
  • Designs and specifications

What is the difference between NIST 800-171 and NIST 800-53?

The key difference between the two is that while NIST 800-171 relates to non-federal systems and organizations, NIST 800-53 is for federal organizations. However, if your business handles CUI in any form, you do not have to be linked to a federal system to fall under the compliance purview of NIST SP 800-171. 

What are the NIST 800-171 requirements?

The core of NIST 800-171 consists of 110 security requirements distributed across 14 distinct requirement families. Each family is comprised of a minimum of one basic requirement and some derived requirements. Here is an overview of the families:

1. Access control

It comprises two basic and 19 derived requirements that ensure only authorized staff have access to CUI.

2. Awareness and training

It comprises two basic and one derived requirement that ensure adequate training and skills are provided to those responsible for protecting CUI.

3. Audit and accountability

It comprises two basic and seven derived requirements that ensure contractors regularly audit, log and protect audit information.

4. Configuration management

It comprises two basic and seven derived requirements to ensure configurations, systems and software are standardized and managed in definable and measurable ways.

5. Identification and authentication

It comprises two basic and nine derived requirements to ensure authorized access is granted only to authorized staff.

6. Incident response

It comprises two basic and one derived requirement to help a business plan its response to a breach and ensures it can resume operations quickly.

7. Maintenance

It comprises two basic and four derived requirements to ensure vulnerabilities are addressed, holes patched and subsystems function optimally.

8. Media protection

It comprises three basic and six derived requirements that ensure minimum safeguards are in place for CUI-related media.

9. Personnel security

It comprises two basic requirements to ensure contractors, employees and vendors are thoroughly vetted and approved.

10. Physical protection

It comprises two basic and four derived requirements to ensure necessary safeguards are in place for protecting hardware related to CUI.

11. Risk assessment

It comprises one basic and two derived requirements to ensure measures are in place for periodic evaluation and mitigation of security risks.

12. Security assessment

It comprises four basic requirements to periodically test and review security control measures.

13. System and communications protection

It comprises two basic and 14 derived requirements to protect CUI data from unauthorized exposure.

14. System and information integrity

It comprises three basic and four derived requirements to ensure systems and information remains trustworthy and has not been maliciously or accidentally changed.

How do I become NIST 800-171 compliant?

If your business handles CUI, you are expected to implement NIST 800-171 under Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012. To ensure your business is compliant with NIST 800-171, you must perform the following actions:

  1. Conduct a cybersecurity self-assessment.
  2. Review your organization’s System Security Plan (SSP) and how it handles the covered information system(s).
  3. Review the 110 security requirements and document if they have been implemented fully, partially or not implemented.
  4. After completing your NIST 800-171 Basic Assessment, you can score it using the DOD Assessment Methodology.
  5. Additionally, you can create a Plan of Action and Milestones (POA&M) strategy for all the security practices you marked as “Partially Implemented” or “Not Implemented.”
  6. Submit your score and additional information to DOD via the Supplier Performance Risk System (SPRS)

Understanding DOD Assessment Methodology

The NIST 800-171 DOD Assessment Methodology is a scoring system to assess a contractor’s implementation of NIST SP 800-171. Each of the 110 security requirements in 800-171 is assigned a weighted subtractor value. If you implement a practice, you get points, with 110 being a perfect score. Some practices are worth 5 points, some 3 and some 1.

How long does it take to become NIST 800-171 compliant?

Establishing compliance with the NIST SP 800-171 is a time-consuming process but given the cost of non-compliance is losing your DOD contracts, it is well worth the time and effort. It could take at least six months to ensure compliance as you work to verify your networks and procedures have the appropriate protections and safeguards in place.

You will also have to ensure each element of your organization that is covered by a commercial and government entity (CAGE) code has been made part of your organization’s SSP.

How do I take the NIST 800-171 assessment?

If your organization is looking to complete a NIST 800-171 self-assessment, you can do so with an IT compliance solution.

With world-class IT compliance software such as Compliance Manager GRC, you can easily produce required documentation that demonstrates you have adequate security in place to protect the covered defense information, as required by DFARS clause 252.204-7012. You can also produce an itemized scorecard for each of the 110 controls included in NIST (SP) 800-171.

The good news is our NIST SP 800-171 assessment tool also includes a CMMC 2.0 management template.

Manage NIST 800-171 Compliance with Compliance Manager GRC

Compliance Manager GRC is an indispensable part of your compliance arsenal to stay on top of the ever-changing rules. The web-hosted and role-based solution includes automated data collection, an automated report generator and a vast library of IT controls. Create your own custom standards, track and manage compliance with NIST 800-171 or any other standard — all at the same time and in the same place.

Compliance Manager GRC allows you to:

  • Perform a Rapid Baseline Assessment to quickly determine how far along you or your clients are in the compliance journey and generate interim reports with updated and accurate information.
  • Deploy non-intrusive data collectors to collect information needed to complete the assessment.
  • Automatically create a variety of reports for NIST SP 800-171 compliance including those required for compliance with the CMMC interim rule — the mandatory assessment scoresheet, the mandatory SSP and POA&M documents.
  • Generate a security risk assessment and management plan to remediate discovered issues.
  • Compile evidence of compliance for each control, which can be directly accessed by DOD auditors.

Request a demo of Compliance Manager GRC today to make your compliance journey hassle-free.