NIST 800-171 Compliance Services
Comprehensive and cost-effective services to help you meet NIST 800-171 and CMMC requirements.
NIST SP 800-171 is a NIST Special Publication that provides recommended requirements for protecting the confidentiality of controlled unclassified information (CUI). As of November 30, 2020, defense contractors are required to implement the recommended requirements for NIST 800-171 compliance to ensure that they are providing the necessary security and protection of the covered defense information included in their defense contracts, as required by DFARS clause 252.204-7012.
Find out more about what this DFARS rule change means for you.
What is NIST 800-171?
There are 110 controls across 14 key security protocol areas necessary for NIST 800-171 compliance, including Access Control; Awareness and Training; Audit and Accountability; Configuration Management; Identification and Authentication; Incident Response; Maintenance; Media Protection; Physical Protection; Personnel Security; Risk Assessment; Security Assessment; System and Communications Protection; and System and Information Integrity.
NIST 800-171 was developed to ensure CUI is properly protected on a consistent basis across the Defense Industrial Base (DIB) to make sure that the federal government can carry out its missions.
How does NIST 800-171 impact you?
Every defense contractor must meet the requirements of a Basic Assessment – a self-assessment using the organization’s existing System Security Plan (SSP) and Plan of Actions and Milestones (POAM) to calculate their own score and then entering it on SPRS. The SPRS entry will consist of six fields: SSP name, CAGE code associated with the plan, a brief description of the plan architecture, date of the assessment, total score, and the date a score of 110 will be achieved. If you already have an SSP and POAM, it should take less than an hour to complete the Basic Assessment.
Some organizations will be required to undergo further assessments such as Medium (The DoD estimates this will impact 200 unique organizations each year) and High (The DoD estimates this will impact 110 unique organizations each year) Assessments.
Additionally, prime contractors now have a responsibility to ensure their subcontractors have submitted their information prior to awarding a contract.
These new requirements (and increased scrutiny of old requirements) can potentially impact you as a defense contractor in a number of ways:
- You will lose the ability to bid on contracts if you do not meet these requirements.
- If you can’t demonstrate to your prime contractors that you meet the requirements, you may lose business to another subcontractor who can.
- If you make a claim that doesn’t hold up to government scrutiny, you could potentially face legal action.
- You will need to spend money and time upgrading your programs to meet the requirements.
- You don’t have a lot of time to prepare for this. Prime contractors are already asking questions of their subcontractors, and the government will start rolling out these new requirements Nov. 30th.
Achieving NIST 800-171 Compliance
Achieving NIST 800-171 compliance can be quite a challenge. It requires a deep understanding of your networks, security processes, and procedures, so much so that the National Institute of Standards and Technology (NIST) stated that “the first thing they should keep in mind is that being DFARS compliant likely involves working with a cybersecurity consultant that knows the NIST SP 800-171 requirements inside and out.”
The right cybersecurity compliance partner can help you implement the most comprehensive solution for your business by helping you write policies, implement technology, document your practices, assess business risk, and put into place the cyber program management needed to ensure you mature to meet the increasing demands on the Defense Industrial Base.