<img alt="" src="https://secure.badb5refl.com/165368.png" style="display:none;">
 

Understanding NIST 800-171 Compliance

Using the NIST Framework to Help Non-Federal Organizations Protect Controlled Unclassified Information (CUI)

Design Your NIST 800-171 Screenshot

What is NIST 800-171?

NIST 800-171 Dashboards and Reports

NIST SP 800-171 is a set of standards established by the National Institute of Standards and Technology (NIST) that outlines practices non-federal organizations can use to protect controlled unclassified information (CUI). CUI is sensitive but unregulated information from the U.S. Federal government and applies to non-federal agencies working with agencies such as the United States Department of Defense, the General Services Administration (GSA), National Aeronautics and Space Administration (NASA), federal agency services providers, vendors and suppliers for federal agencies, and higher education institutions that get federal grants.

NIST 800-171 is required for all non-federal agencies that process, store, or transmit CUI. In this NIST 800-171 compliance resource center, we’ll look into the history of the framework, what it’s designed to do, and how you can crosswalk your other cybersecurity frameworks with these standards.

Here’s What You’ll Learn:

What is NIST 800-171?

NIST 800-171 is a set of standards to guide how non-federal agencies protect sensitive but unclassified federal information called CUI.

Learn More

Build Your NIST 800-171 Strategy

You can use Apptega to build and manage your NIST 800-171 framework, simplifying your NIST 800-171 compliance journey.

Learn More

Who Needs NIST 800-171?

If you’re a non-federal organization serving as a contractor or subcontractor seeking to work with a variety of federal agencies, you should be NIST 800-171 compliant.

Learn More

NIST 800-171 Purpose

The purpose of NIST 800-171 is to guide how non-federal agencies protect sensitive CUI they may interact with while doing business with government agencies.

Learn More

NIST 800-171 Controls

NIST requirements are divided among 14 control families. Compliant organizations must prove they meet standards within several of these areas.

Learn More

NIST 800-171 Benefits

Like other cybersecurity frameworks, NIST 800-171 can serve as the basis of your cybersecurity program, helping mature your security posture over time.

Learn More

Steps to NIST 800-171 Compliance

Documentation is key to demonstrating NIST 800-171 compliance. Check out this section to learn more about what you should consider.

Learn More

NIST 800-171 Self-Assessment

Conducting security assessments can be challenging, but it’s critical to demonstrate NIST 800-171 compliance.

Learn More

From NIST 800-171 to CMMC

Because there have long been self-attestation issues with NIST 800-171 compliance, the government now requires new contracts to have a CMMC certification level.

Learn More

NIST 800-171 Case Study

See how Cape Henry Associates is using Apptega to manage NIST 800-171 and CMMC compliance.

Learn More

NIST 800-171 Blog Snapshots

Want to know more about the connections between NIST 800-171 and CMMC? Check out this and other blogs to learn more.

Learn More

NIST 800-171 Webinar Snapshots

Join a webinar to explore how NIST 800-171 and CMMC work together to help you with your NIST 800-171 strategy.

Learn More

The Apptega Solution for NIST 800-171

Apptega can help you implement and manage NIST 800-171 controls, and even simplifies crosswalking the framework with others.

Learn More

NIST 800-171 Marketplace

Searching for tools, guidance, and assistance with NIST 800-171 compliance? Try the NIST 800-171 Marketplace.

Learn More

NIST 800-171 Frequently Asked Questions

Have questions about NIST 800-171 compliance? Check out this FAQ for answers.

Learn More

Understanding NIST 800-171

NIST 800-171 is a set of guidelines for non-federal organizations that work with federal agencies. It’s designed to help these organizations adopt controls to protect and secure sensitive unclassified controlled information (CUI). The National Institute of Standards and Technology (NIST) first published these standards in June 2015 in response to presidential Executive Order 13556: Controlled Unclassified Information, issued in 2010. The purpose of the executive order was to standardize how agencies handle and protect this sensitive federal information.

NIST 800-171 is a requirement for all non-federal organizations that process, store, or transmit CUI. Federal agencies use standards set by NIST 800-53 to protect and secure CUI. With NIST 800-171, compliance has always been required, but there have long been issues with the way organizations self-attest to compliance. These requirements and controls can be most easily understood by putting them into a few core buckets: controls and processes, monitoring and management, practices and procedures, and implementation. It looks like this:

1. Design controls and procedures to establish how you will manage and protect CUI
2. Continuously monitor and manage all of your IT systems to ensure compliance.
3. Ensure all users understand your security practices and procedures
4. Implement and maintain security practices both for your data, technology and physical locations

While some cybersecurity frameworks require a certification, NIST 800-171 does not. Instead, non-federal organizations that access CUI while working with federal agencies are expected to implement the framework and self-attest to meeting basic security standards to protect CUI.

NIST 800-171

There are 14 core families of controls in NIST 800-171 that range from access controls and awareness to system and information integrity. To demonstrate compliance, you should ensure you have proper documentation in place that indicates you meet control specifications, complete interviews with team members who are responsible for maintaining your core NIST 800-171 responsibilities, and complete specific tests that show your controls effectively do what they’re intended to do.

While self-attestation has generally been the compliance standard for contractors and subcontractors, an interim DFARS rule now drives a new DoD assessment methodology, including a new scoring component that reflects the level of implementation of the 110 controls outlined in the framework.

In early 2019, the DoD announced it intended to audit the DoD supply chain to ensure DFARs compliance. In the recent interim rule, as of Nov. 30, 2020, all contractors and subcontractors are expected to post a current NIST 800-SP Assessment to the DoD’s Supplier Performance Risk System (SPRS).

WHO NEEDS NIST 800-171
Managing NIST Compliance
WHO NEEDS NIST 800-171

Does Your Organization Need to Be NIST 800-171 Compliant?

As a non-federal organization working with a federal agency, if you process, store, or transmit CUI, you are expected to comply with the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS).

FAR and DFARS outline requirements for all U.S. government acquisition and contract processes. As a result, NIST SP 800-171 provides recommendations and controls your organization can adopt and implement to ensure that you successfully protect and secure all controlled unclassified information (CUI). The government mandates that all contractors and subcontractors implement NIST requirements to effectively demonstrate that they adhere to the controls required in DFARS 252.204-7012, which became effective in December 2017.

If your organization fails to demonstrate you meet the appropriate requirements, you may not be able to work with federal agencies, and compliance failure could result in the government ending existing contracts with you.

It’s also important to note that if you are a prime contractor who works with subcontractors to complete terms of your DoD or other federal relationships, you are expected to ensure that all of those subcontractors also meet NIST 800-171 compliance.

To evaluate if you are NIST 800-171 compliant, you can refer to “NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements,” which is a step-by-step guide that can help assess how well your organization is doing in meeting framework requirements.

Managing NIST Compliance
NIST-800-171-Implement-01

Managing your NIST 800-171 Framework with Apptega

The NIST 800-171 framework within the Apptega cybersecurity and compliance platform supports all of the core 14 control areas and sub-controls needed to ensure NIST 800-171 compliance. You can use the Apptega solution to plan, implement and manage your NIST 800-171 controls and crosswalk other frameworks your organization uses (or plans to implement in the future) for complete, consolidated insight into your cybersecurity posture.

Here are some of the ways Apptega can help you with your NIST 800-171 compliance:

  • Simplify framework management
  • Reduce preparation time for compliance assessments and audits
  • Help align your cybersecurity goals with your organizational goals and objectives
  • Give you instant access to the data and information you need to report on your cybersecurity posture and compliance at any time
  • By crosswalking your current frameworks through Apptega Harmony, you can quickly improve your program efficiencies by 50% or more
  • Demonstrate to your clients, key stakeholders, and the public that you meet standards to keep CUI safe
  • Gain competitive advantages when bidding on federal contracts as a prime or subcontractor
Get Demo

Build a Successful NIST 800-171 Engagement Strategy

As a non-federal organization working with federal agencies, you should be able to demonstrate to the government you have effective cybersecurity controls in place to protect controlled unclassified information.

In this NIST 800-171 compliance guide, you will learn more about the framework, including its history, and will explore:

  • Why NIST 800-171 compliance is important
  • What controlled unclassified information is and why it needs protection
  • What’s required to meet NIST 800-171 compliance expectations
  • What the compliance process looks like
  • How you can complete a self-assessment for compliance
  • Additional references to help you on your NIST 800-171 compliance journey

What Our Customers Are Saying

pete headshot
Dr. Pete Dowdy
Senior Director, Information Security, Envistacom

"The new CMMC framework in Apptega, combined with the platform's cybersecurity management and reporting capabilities, greatly simplifies the certification process and helps organizations ensure compliance with minimal overhead."

Thad Wellin Headshot
Thad Wellin
CMMC Lead, SecureStrux

"The Apptega Assessment Manager significantly streamlines CMMC assessments and helps us promote collaboration with our clients. We evaluated numerous tools and found the Apptega cybersecurity and compliance management platform to be the most robust and easy to use.”

Ed Myers headshot
Ed Myers
Associate Compliance Director, Cape Henry Associates

“With Apptega, we now have the visibility needed to know the true status of our program at any time.”

Managing NIST 800-171 and Other Frameworks with Apptega

While NIST 800-171 compliance provides a great foundation for building a cybersecurity program for your organization, most modern organizations quickly understand that because of other compliance and regulatory standards, they can improve their security posture by implementing and managing more than one cybersecurity framework.

Unfortunately, many organizations struggle with this, as they find teams duplicating processes across multiple frameworks without clear insight into existing controls that work together.

Apptega’s intelligent framework mapping tool, Harmony, changes everything. With Harmony, you can map multiple security programs, for ISO 27001, PCI, HIPAA, GDPR and others, right in one solution with a convenient, easy-to-understand dashboard. The cost and effort required to manage multiple frameworks can be reduced by 50% or more. And when you need compliance evidence for only one framework during an audit or self-assessment, you can easily isolate that framework in the Apptega dashboard and reports.

5 Core Functions: Understanding NIST 800-171 Security

NIST 800-171 covers five core cybersecurity functions: identify, protect, detect, respond, and recover. These five areas are the heart of this framework. They can help you design proactive safeguards to protect CUI and help your organization plan for how you will mitigate and respond to cyber risks related to CUI.

Let’s take a closer look at each area and their intended purpose:

1 - IDENTIFY
2 - PROTECT
3 - DETECT
4 - RESPOND
5 - RECOVER
1 - IDENTIFY

IDENTIFY

This function outlines how your organization manages cyber risks related to people, assets, systems, data, and capabilities. By understanding your risks in a business context, you can develop resources to protect critical functions and reduce your risks. Identification of all your assets and vulnerabilities is a first step in prioritizing and remediating risks.
2 - PROTECT

PROTECT

This function helps you establish safeguards to ensure you can deliver critical services. The goal is to limit the impact a cyber event could have on your organization and data.
3 - DETECT

DETECT

This function helps you define which activities you need to implement to identify when a cyber event happens so you can address a potential incident effectively with timely response.
4 - RESPOND

RESPOND

This function relates to activities you should take once your team identifies a cybersecurity event and what you can do to contain it and limit impact.

5 - RECOVER

RECOVER

This function ensures you have defined activities in place to restore services impacted by a cybersecurity incident including plans and procedures to quickly recover your operations to “normal.”

Understanding NIST 800-171 Controls

NIST SP 800-171 has 110 security controls that combine best practices from FIPS 200 and NIST SP 800-53. Each of these 110 controls correspond to one of 14 categories:

1. Access Control
  • Limit access to information and facilities
  • Ensure authorized user access
  • Prevent unauthorized access
  • Establish processes within the identity management lifecycle
2. Awareness and Training
  • Ensure that personnel are aware of the security risks associated with their activities
  • Ensure that personnel understand the applicable policies, standards, and procedures related to organizational information systems security
3. Audit and Accountability
  • Maintain systems audit records and trails designed to detect and respond to cybersecurity events
4. Configuration Management
  • Continuously evaluate systems
  • Notify relevant personnel of related security and other issues
5. Identification and Authentication
  • Ensure unique identification and proper authentication for systems and information access
6. Incident Response
  • Implement a consistent and effective approach to manage information security incidents
  • Periodic testing
7. Maintenance 
  • Create plans to ensure secure operations and availability of equipment and supporting devices
8. Media Protection
  • Ensure protection from unauthorized disclosure or modification of information assets stored on all media
9. Personnel Security
  • Create policies and procedures to ensure secure onboarding, offboarding and employee transfer processes
10. Physical Protection
  • Prevent unauthorized physical access, theft, damage, or availability of your organization's information and facilities
11. Risk Assessment
  • Establish periodic risk assessments to identify and categorize cybersecurity threats, vulnerabilities, and potential consequences
  • Define mitigation and exception processes
12. Security Assessment
  • Establish periodic security assessments to identify any control weaknesses
  • Establish remediation plans to ensure continuous improvement of your organization's security posture
13. System and Communications
  • Manage and routinely verifying system security configuration
  • Manage and secure information flow into and within your network
14. System and Information Integrity
  • Ensure system and information integrity by monitoring, preventing and remediating security events or incidents

Benefits of NIST 800-171 Compliance

In addition to ensuring your ability to compete for federal contracts, there are a number of benefits of implementing NIST 800-171 controls, not just for CUI, but also for other important and sensitive data created, processed, transmitted, or stored by your organization.

Here are some key benefits of NIST 800-171 compliance:

  • Establish controls to protect and secure CUI and other important data
  • Identify gaps and weaknesses within your cybersecurity processes
  • Establish mature risk management practices
  • Monitor your alignment to NIST 800-171 compliance standards
  • Protect assets and data
  • Remediate weaknesses and other security issues
  • Improve your existing security processes
  • Mature and scale your cybersecurity practices
  • Implement access control and management for sensitive data
  • Decrease cyber risks
  • Decrease risk of data exfiltration
  • Implement industry-recognized security best practices
  • Decrease chance of reputational damage
  • Decrease chance of compliance or other regulatory fines and penalties
  • Gain a competitive edge for securing government contracts
  • Improve relationships/confidence with federal agencies
  • Demonstrate to your partners, clients, key stakeholders, and the public you’re committed to protecting sensitive data
  • Be prepared to effectively respond to cyber events

Steps to Become NIST 800-171 Compliant

While there is no formal certification process for NIST 800-171, all non-federal organizations accessing CUI as part of their work with a federal agency must attest to NIST 800-171 compliance. As we mentioned earlier, there are 14 core requirement families. To show that you’re compliant with these standards, your organization should develop a System Security Plan (SSP) that outlines how you’re effectively meeting all of the controls.

Here’s a quick look at what that SSP might look like:

  • Outline requirements and controls
  • Describe your operating environment-related to each control
  • Demonstrate (with documentation) how you’ve successfully implemented those controls
  • Explain your testing procedures and results
  • Outline interconnectivity with other systems

In addition to your SSP, you can also create a Plan of Action and Milestones (POA&M) that outlines how you intend to address security requirements you have not yet implemented. In your POA&M, don’t forget to also describe how you will mitigate risk in the interim until those action items are in place.

Documentation is a critical component of attesting that you’re NIST 800-171 compliant. Here are three core areas you’ll need to address as part of your self-assessment:

  • Examine all of your documents, policies, procedures and related records to ensure you’re meeting each defined sub-control
  • Interview all individuals who have responsibilities related to your NIST 800-171 security procedures
  • Test all of your sub-controls and document how your controls performed as prescribed

Conducting a NIST 800-171 Self-Assessment

In 2020, the Department of Defense issued an interim rule regarding how contractors handle cybersecurity requirements, including the adoption of a new DoD assessment methodology to ensure that all contracts meet the DFARS mandate and NIST 800-171 requirements. For contractors to compete for new contracts, win new contracts or renew existing contracts with the DoD after Nov. 30, 2020, they must first complete a self-assessment and upload the results of the assessment into the DoD’s Supplier Performance Risk System (SPRS).

While previously a self-assessment has been a pass or fail scenario based on the 110 security requirements outlined in NIST 800-171, the new assessment methodology now includes a scoring system based on those 110 controls. DoD intends to use this methodology to standardize assessments of NIST implementation.

In this assessment methodology, there are three assessment levels designed to determine the level of confidence discovered in assessment results:

  • Basic: Self-assessment a contractor completes. Includes SSP review. Because it’s a self-generated score, it results in a “low” level of confidence.
  • Medium: DoD completes assessment of contractor’s SSP, resulting a medium level of confidence.
  • High: Government completes on-site or virtual assessment of contractor, including examination, verification, and demonstration of SSP and implementation of NIST 800-171 requirements. This results in a high-level of confidence. To begin the process of earning a high level of confidence, the contractor must first do a basic self-assessment and then submit that to DoD.

If all security requirements are met, then the contractor can earn a score of 110, representing that all 100 security controls are met.

For every control not met, it’s subtracted from the 110 total. There are a number of factors that influence this scoring methodology. For a closer look, check out the NIST SP 800-171 DoD Assessment Methodology v 1.2.1.

Contractors should anticipate completing this type of assessment once every three years or whenever there are significant changes in security practices, risks, or security-related events. Prime contractors also retain responsibility for ensuring subcontractors also meet compliance requirements.

From NIST 800-171 to CMMC

In addition to implementing the new DoD assessment methodology for NIST 800-171 compliance, the government is taking additional steps to ensure all non-federal agencies do their part to protect CUI and other sensitive data.

In January 2020, DoD released the first version of the Cybersecurity Maturity Model Certification (CMMC) program, which build off NIST 800-171. When fully operational, it will apply to all requests for information (RFI) and requests for proposals (RFPs). CMMC creates five levels of certification, all of which build off one another, to create scalable cybersecurity practices that protect controlled unclassified information.

By successfully completing a CMMC certification, contractors demonstrate they can effectively protect CUI. CMMC certifications can apply to an entire enterprise or particular segment, depending on contract requirements and where information is processes, stored, or transmitted.

Here are the five CMMC certification levels:

CMMC Certification Level 1: Perform

Practice: Basic Cyber Hygiene
Focus: Safeguard FCI
Number of Practices Introduced: 17

CMMC Certification Level 4: Review

Practice: Proactive
Focus: Protect CUI and reduce risk of APTs
Number of Practices Introduced: 26

CMMC Certification Level 2: Document

Practice: Intermediate Cyber Hygiene
Focus: Transition step in cybersecurity maturity progression for CUI protection
Number of Practices Introduced: 55

CMMC Certification Level 5: Optimize

Practice: Advanced/Progressive
Focus: Protect CUI and reduce risk of APTs
Number of Practices Introduced: 15

CMMC Certification Level 3: Manage

Practice: Good Cyber Hygiene
Focus: Protect CUI
Number of Practices Introduced: 58

The 17 Core Domains of CMMC

Each of the 17 domains of CMMC are broken down into 43 capabilities (practices). You can read more about those practices, including information about how to earn a CMMC certification, in our CMMC resource center.

For a high-level explanation of the key difference between NIST 800-171 and CMMC, watch this 2-minute video clip.

1. Access Control

2. Asset Management

3. Audit and Accountability

4. Awareness and Training

5. Configuration Management

6. Identification and Authentication

7. Incident Response

8. Maintenance

9. Media Protection

10. Personnel Security

11. Physical Protection

12. Recovery

13. Risk Management

14. Security Assessment

15. Situational Awareness

16. Systems and Communications Protection

17. System and Information Integrity

NIST 800-171 & CMMC In Action

Cape Henry Associates uses Apptega to manage NIST 800-171 and CMMC compliance. Upon uploading its NIST 800-171 data into Apptega, team members were pleased to discover they were already at 92% of full compliance with the standard. The Apptega platform also immediately exposed some additional gaps that were previously unknown.

“With Apptega, we’re able to take a cost-effective DIY approach to cybersecurity readiness and compliance. The built-in guidance for each of the sub-controls helps us quickly compare what we are actually doing with what we need to be doing. Gaps are readily identified, and remediation tasks are set up in the platform to give us a 360-degree view of our status and plans.”Ed Myers, Cape Henry Compliance Director

NIST 800-171 Blogs

How-do-you-choose-@2x

Choose the Right Framework to Better Navigate the Convergence of Data Privacy and Cybersecurity

In modern cybersecurity practices, the lines that once existed between privacy and security are converging, which creates challenges for teams that need to work together to ensure you’re successfully meeting all your regulatory and compliance standards. Today, it’s no longer just about the privacy of the data you collect, store, and transmit, but also how you protect it. New regulations like state and federal mandates and GDPR are further driving this convergence. Check out this blog to explore how you can streamline cybersecurity framework management to successfully overcome this growing list of challenges.

Read More
CMMC_Consultants_Banner

CMMC Certification: Tips for Preparation

Understanding what CUI is and why the government wants it protected is the first step of many when it comes to earning a CMMC certification. You also need to understand the five levels of CMMC certification and which one is the most applicable to your organization’s needs, as well as what you should do to prepare for a CMMC compliance audit and how you can mature your processes to scale your cybersecurity practice and earn higher certification levels over time. In this blog, you will learn more about selecting the right certification level, how to conduct a CMMC gap analysis, and how to prepare for a CMMC certification assessment.

Read More
BLOG-How-do-you-choose@2x

Which Cybersecurity Framework is Right for You?

There are a growing number of cybersecurity frameworks available for organizations today. While compliance and regulatory standards may drive which frameworks you have to adopt, you may realize other frameworks bring value to improving your security practices. But, with so many frameworks available, how do you know which one is right for you? SOC 2? CIS? ISO? This blog explores several common frameworks, outlining where they’re relevant and how they may help your organization. Read on to find out more about each one and how Apptega can help you adopt and implement the best framework to meet your specific needs.

Read More

NIST 800-171 Webinars

CMMC WEbinar-1

NIST SP 800-171 and CMMC: Minimize Your Risk of Losing Business Opportunities

Simply self-attesting to NIST 800-171 compliance is no longer all you need for a competitive advantage to win government contracts. With the addition of new assessment methodologies and the newly-released CMMC certification expectations, there’s a lot to digest.

Watch this on-demand webinar to learn more about:
• The relationship between NIST 800-171 and CMMC
• How to earn a CMMC certification
• Who conducts assessments for NIST 800-171 and what they look like
• Compliance challenges

Watch Now
WEBINAR-Secrets-To-Passing@2X

Secrets To Passing A Cybersecurity Audit: An Auditor's Perspective

Cybersecurity audits are often tedious and time-consuming, but they are critical parts of ensuring your organization is recognized for all your hard work to be compliant with a range of requirements. The good news is, preparing for an audit with the help of a solution like Apptega can reduce these complexities and get you well on your way to a successful review.

In this on-demand webinar, learn more about:
• Best practices to successful pass an audit
• Hear from some of the best-of-the-best as they share real-world audit experiences
• Explore audit pitfalls and learn how to overcome them
• Pick up time-saving tips to help you successful engage throughout the audit process

Watch Now

Apptega Product Highlights

NIST-800-171+CMMC-Harmonized-03

Mapping NIST 800-171 to NIST 800-53, CMMC, and Other Frameworks

Simplify your NIST 800-171 compliance with multiple cybersecurity and privacy frameworks in the Apptega platform. In addition to easily crosswalking multiple frameworks within the Apptega Harmony intelligent mapping tool, you can also streamline tasks and manage roles and responsibilities within the platform.

With Apptega’s dashboard, you can access instant, easy-to-understand insight into the status of your NIST 800-171 compliance and helps you quickly identify areas of improvement. One-click reports include high-level summaries for your executives and board of directors, detailed status reports for customers and supply chain partners, and a POA&M and SSP for audits and certifications.

NIST 800-171 Marketplace

NIST 800-171 Marketplace v1

Searching for tools, guidance, and assistance with NIST 800-171 compliance?

The NIST 800-171 Marketplace in CyberXchange is mapped to all the controls defined in the framework. For each of your gaps or compliance deficiencies, you can instantly find solutions mapped to your specific needs. Guesswork is eliminated. The research is already done for you.

Join thousands of CISOs, CIOs and other cyber professionals who are already finding perfect-fit solutions.

Frequently Asked Questions about NIST 800-171 (FAQs)

What is NIST 800-171?
NIST 800-171 is a set of controls created by the National Institute of Standards and Technology (NIST) to protect all controlled unclassified information in non-federal systems and within non-federal organizations. The purpose of the standards is standardizing and improving cybersecurity practices to protect sensitive data and decrease the likelihood of a successful cyber breach. NIST 800-171 is a requirement for every non-federal agency that processes, transmits, or stores CUI.
Who oversees NIST 800-171?
The National Institute of Standards and Technology (NIST) oversees NIST 800-171. NIST is a part of the U.S. Department of Commerce and throughout its existence since 1901 has been responsible for establishing standards guiding security for everything from atomic clocks to technology.
What is Executive Order 13556?
Executive Order 13556 is a presidential order issued in November 2010 to create a unified program to manage the safeguarding and dissemination controls for CUI. The order requires these controls be consistent with applicable laws, regulations, and government policies. All third-parties working with government agencies with access to CUI are expected to meet guidelines stemming from the executive order.
What is the DFARS mandate?
The Defense Federal Acquisition Regulation Supplement (DRARS) mandate requires all non-federal organizations within the DoD’s supply chain to meet NIST 800-171 requirements to protect and secure CUI. This applies to all non-federal systems and non-federal organizations, including both prime contractors and subcontractors.
What is FISMA and how is it related to NIST 800-171?

FISMA is short for the Federal Information Security Management Act. The government passed the act in 2003 as a way to improve cybersecurity practices for federal agencies. FISMA applies specifically to federal agencies but is a driver of the NIST 800-171 standards to protect CUI, which relates specifically to non-federal agencies.

Are NIST 800-171 and NIST 800-53 the same?
NIST 800-171 and NIST 800-53 are not the same, but both are frameworks you can implement to improve your cybersecurity practices. NIST 800-53 is part of FISMA, which relates to federal information security systems, whereas NIST 800-171 is part of DFARS and relates to non-federal systems and organizations.
How do I become NIST 800-171 compliant?
If you are a non-federal organization, there are several steps you can take to become NIST 800-171 compliant, which is important if you are an organization that processes, stores, or transmits controlled unclassified information from a federal agency. To become NIST 800-171 compliant, you will need to apply appropriate security controls outlined within the requirements, test those controls, provide documentation those controls are effective, outline what your plans are to meet controls not yet in place, and complete, at a minimum, a compliance self-assessment. Also, you’ll need to ensure you adhere to DoD’s assessment methodology, and where appropriate, complete an assessment with a DoD official. Further, beginning in 2020, some contractors and subcontractors wishing to bid on or renew contracts will need to be CMMC-certified at a minimum of level 1; however, each new RFP or RFI will outline which certification level you need to secure a specific contract.
What happens if I am not NIST 800-171 compliant?
Unlike other frameworks, while NIST 800-171 is a requirement, there isn’t an official NIST 800-171 certification. Instead, you’ll need to complete an assessment that attests to your NIST 800-171 controls, and, where appropriate, complete a CMMC certification for future contracts.
Are NIST 800-171 and CMMC related?
Yes. NIST 800-171 and CMMC are related. Essentially, CMMC builds off NIST 800-171 controls. It’s a way for organizations to more effectively prove their adherence and compliance to NIST 800-171 controls beyond a self-assessment.
Who needs to be NIST 800-171 compliant?
If you are a non-federal organization that works with the federal government (for example DoD or NASA or if you’re a service provider or supplier for a federal agency) and your organization transmits, processes, or stores controlled unclassified information, you should be NIST 800-171 compliant.
What is CUI?
CUI stands for controlled unclassified information. This is sensitive but unprotected and non-regulated information created or controlled by the federal government. All CUI requires controls for protection that are related to a variety of regulations, laws, and government policies. NIST 800-171 outlines control requirements for all non-federal agencies.
Why does CUI need protection?
There are a number of reasons CUI needs protection. Like most sensitive data, exfiltration or damage to this data can negatively impact operations and integrity. In this case, if CUI is lost, stolen, or damaged, it could affect a government agency’s ability to deliver services and achieve goals.
Does NIST 800-171 require encryption at rest?
Yes. NIST 800-171 requires organizations to safeguard data confidentiality at rest. That means you should employ Federal Information Processing Standards (FIPS) for cryptography. Encryption can help protect data that may be lost or stolen and prevent unauthorized users from reading that data.
Is NIST 800-171 mandatory?
Yes. NIST 800-171 is mandatory for all non-federal systems and organizations that transmit, process, or store controlled unclassified information (CUI).
Can I get a NIST 800-171 certification?
No. You cannot get a NIST 800-171 certification; however, if you process, transmit, or store CUI you must be NIST 800-171 compliant, which is achieved through an assessment. There are three assessment levels for NIST 800-171. The first, basic, is achieved through a self-assessment, whereas the DoD completes assessments for medium and high levels.
Where can I find compliance resources for NIST 800-171?

NIST 800-171 compliance resources are in Apptega’s NIST 800-171 Marketplace. Within the marketplace, you can quickly access products and services to help you with NIST 800-171 compliance, including access to consultants that have proven expertise in your specific compliance areas.