NIST 800-171

Are you Worried about NIST Compliance?

The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations is designed specifically to protect unclassified information outside the government.

With the amended DFARS 252.204.7008 (Compliance Safeguarding and Covered Defense Information Controls, and DFARS 252.204.7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) requirements, Department of Defense contractors will have until December 31, 2017 to fully Implement NIST 800-171 controls on covered contractor information systems. It’s not too late to act! Get your SSP in place ASAP.

What is CUI and does it apply to my organization?

Controlled Unclassified Information (CUI), and the CUI Registry is maintained by the National Archives. The CUI Registry is maintained by the National Archives. The CUI Registry is the government-wide online repository for Federal-level guidance regarding CUI policy and practice. To See if you handle CUI visit the Archives Registry page found here.

The language used within the requirement states that any Federal Contractor or Sub-Contractor that contracts with the Department of Defense (DoD) needs to be NIST 800-171 Compliant. Knowing the type of CUI you handle is great, but it’s only the first step towards compliance.

Is your organization ready?

The mandate itself provides guidance and defines 14 categories of security requirement for CUI:

Access Control
Awareness and Training
Audit and Accountability
Configuration Management
Identification and Authentication
Incident Response
Maintenance
Media Protection
Personnel Security
Physical Protection
Risk Assessment
Security Assessment
System and Communications Protection
System and Information Integrity


Don’t be scared!

The security controls above sound technical, right? Not necessarily. NIST 800-171, and a vast majority of the above-mentioned security requirements are process and document related. The requirement wants to make sure that your organization has the proper processes in place, many of which don’t need a technical solution in order to be considered compliant.

Let ISMS Help!

ISMS Solutions, in partnership with NSF International, can provide your organization with all the necessary tools to assess, update, and meet the requirement. We’ve broken down the process into two steps:

  1. Gap Assessment

    • An ISMS Solutions or NSF International assessor will travel onsite to perform a Gap Assessment. This Gap Assessment will identify the type(s) of CUI your organization handles, as well as identify the gaps within your System Security Plan (SSP).

  2. Implementation & Verification

    • Implementation: If your organization has multiple gaps ISMS & NSF can help. During the Implementation process we create custom processes, procedures, and documents that align to your needs. We also advise on any technical solutions that may be needed (e.g. 2-party authentication tools) in order to be considered compliant.

    • Verification: Knowing that non-certification compliance is tricky we offer all Implementation clients the Verification process at no extra charge. An NSF independent auditor will assess the system and determine compliance. If compliance is achieved, NSF International will issue a 2nd party Letter of Verification stating that the system is currently compliant to the requirement.
For more information on how ISMS Solutions can help your organization become compliant, click below.



Contact a Specialist