NIST 800-171: What to Know

Written by CISOSHARE

July 18, 2017

25 min read

When an organization works with government agencies such as the Department of Defense (DoD), protecting sensitive information is key. A whole host of rules and regulations govern how third parties must handle such information, and failure to ensure compliance could result in loss of government contracts.

Starting in December 2015, the Defense Federal Acquisition Regulation Supplement (DFARS) laid out additional requirements that organizations must adhere to while working with the DoD. The compliance deadline for the clauses, NIST Special Publication (SP) 800-171, was extended to December 31, 2017.  Is your organization be prepared when this round of federal acquisition regulations goes into effect?

What Is NIST 800-171?

The title of the clause, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” gives an excellent summary of its purpose. The DoD requires that third-party contractors provide certain assurances about the security of their IT systems if they would like to continue working with the Department and receiving sensitive information.

The “covered defense information” that concerns the DoD in this clause is their form of “Controlled Unclassified Information.” The DoD defines such information as being:

[…] unclassified controlled technical information or other information as described in the Controlled Unclassified Information (CUI) Registry at, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is

 1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or

2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

Failure to meet the December 31 deadline can prevent an organization from securing future government contracts with the DoD.

How Can My Organization Ensure NIST 800-171 Compliance?

Even if your organization is already well on the way to being DFARS compliant, it’s essential to ensure that it meets all NIST 800-171 requirements by the deadline. It’s quite a taxing process to be certain that all of your organization’s processes align with the controls laid out in NIST 800-171.

The initial NIST 800-171 implementation is only the first step in NIST 800-171 compliance. Once all processes are in place, they must be continually monitored and tested to validate their configuration.

NIST 800-171 Compliance with CISOSHARE

At CISOSHARE, getting our clients’ information security systems up-to-date is our specialty. From the healthcare field to working with government agencies, we are well-versed on what is required to ensure that all systems and procedures adhere to strict laws and standards. We work tirelessly to meet all customer, regulatory, and competitive demands in our field.

This includes the regulations laid out in DFARS. If your organization is struggling to understand and implement the requirements listed in NIST 800-171, get in touch with an expert. We’ll get you on the path to compliance well before this year’s deadline and ensure that your systems stay well within the letter of the law even after the deadline has passed.

Start your 2021 security projects early.