A team implements NIST 800-171 controls.

NIST 800-171 for DoD Contractors​

In an ever-changing compliance landscape, it’s easy to lose sight of where we started, where we are today, and how we got here. The story of compliance around Controlled Unclassified Information (CUI) began in 2015 when the National Institute of Standards and Technology (NIST) published NIST 800-171. Since then, additional regulations such as DFARS, and CMMC have entered the equation and expanded upon this original framework. Given the dynamic nature of compliance in government contracting, it is crucial for organizations to adopt a holistic approach. To understand the foundation upon which current compliance standards are built, it is imperative to delve into NIST 800-171.

NIST requirements have been in place for years now.

What is NIST 800-171?

NIST 800-171 is a publication from the National Institute of Standards and Technology. The formal name of this publication is “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” NIST 800-171 provides a framework for government contractors to follow to protect CUI. Specifically, this publication outlines 110 security controls split across 14 control families that DoD contractors must adhere to.
Learn More

How is NIST 800-171 Assessed?

Assessment of compliance with NIST 800-171 relies on the Supplier Performance Risk System (SPRS) score. Achieving compliance entails attaining an SPRS score of 110, indicating the implementation of each of the 110 security controls. Within each security control, specific requirements are detailed, varying in complexity and associated costs.
Learn More

Who needs to follow NIST 800-171?

Simply put, organizations handling CUI must adhere to NIST 800-171 requirements. This includes both prime and subcontractors working for the Department of Defense (DoD), research institutions receiving federal grants, and organizations that store, handle, or process CUI for federal agencies. Organizations can confirm their handling of CUI by carefully examining their government contracts for specific clauses and by checking for a CUI designation block. This block is a physical part of the government document that will include key information such as the issuing agency, the category of CUI within, and dissemination controls. 

Contractors need to follow NIST regulations.

 According to the DCSA, “CUI shall be identified in the issuing DD254, Request for Quote (RFQ), Request for Proposal (RFP), and or supporting contract documentation when they exist. For existing contracted efforts, Industry should review current contracts and engage with Government Contracting Activity (GCA) to determine which, if any, CUI requirements are applicable to current contracts and the appropriate way forward.” Today, NIST 800-171 holds significant importance for several reasons.

Shielding the Pentagon

This framework aims to protect the Pentagon’s supply chain and the sensitive data that they handle.

Required by Law

Its mandates were codified into law through the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, which was implemented on December 31, 2017.

Prerequisite for CMMC

The controls outlined in NIST 800-171 are required for DoD contractors falling under Cybersecurity Maturity Model Certification (CMMC) level 2.

The Path to SPRS 110

Organizations can implement an in-house plan to reach SPRS 110 or partner with a third party such as IsI to help guide them through this process. The following steps will need to be followed:

The NIST website has documents available for download to help provide insight on the 110 controls required.

This will help you understand your current level of compliance as it pertains to NIST 800-171 requirements.

Following your self-assessment, you will need to identify where your current security controls are falling short.

You will outline your path for addressing these gaps, including specific actions to be taken, a timeline, and the necessary resources required.

Your organization will implement the actions outlined in step 4 to reach compliance.

Continue to monitor your compliance initiatives to ensure you stay up to date with current requirements. NIST 800-171 has undergone several revisions since its initial release, with the latest iteration being Revision 3.

Depend on the experts at IsI for compliance consulting.

The IsI Experience

When you partner with IsI, you’re not just getting a run-of-the-mill managed service provider. You’re gaining a team of compliance experts who live and breathe NIST 800-171. Reaching an SPRS score of 110 is not an overnight process, but with IsI at your side, we will greatly reduce the administrative burden that accompanies this initiative. Our team specializes in cybersecurity tool deployment, evidence gathering, gap assessment/analysis, the development of POA&M, GCC Data migration, and much more. Once we help your organization reach compliance, our continued management will provide you with:

  • IT, compliance, and cybersecurity support
  • An annual NIST 800-171 assessment
  • Cybersecurity training/testing
  • Bi-annual business reviews