Docy Child

NIST SP 800-171 Overview and Guides

Estimated reading: 3 minutes 670 views


NIST SP 800-171 is a NIST Special Publication that provides federal and defense contractors recommended requirements for protecting the confidentiality of sensitive information that isn’t officially ‘Classified’. Defense and/or manufacturers contractors handle large amount of sensitive information and are regulated by the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS). One of the DFARS requirement (clause 252.204-7012) requires all manufacturer and/or defense contractor to comply with the security requirements in NIST SP 800-171. The sensitive information that isn’t officially ‘Classified’ in NIST 800-171 is referred as to Controlled Unclassified Information (CUI).  CUI data includes personal data, intellectual property, equipment specifications, logistical plans, and any other number of strictly confidential federal defense-related information.

It is important to note that compliance with NIST 800-171 is not only constricted to defense and or manufacturers contractors. Any organization that processes or stores sensitive, unclassified information on behalf of the government such as research institutions, universities that receive federal grants and government agencies service providers must comply with NIST 800-171 as well.

NIST 800-171 consists of 110 requirements each focusing on a specific areas of the organization. The requirements covers domains such as access control, systems configuration, authentication, incident management, vulnerabilities, risk management, etc…

The implementation of each requirement demonstrates proper handling of the CUI stored, transmitted and shared across and within an organization’s infrastructure.


Is NIST 800-171 a certification?

At present there is not a NIST 800-171 certification, however you can self-attest or self-certify. It is important to note that with the introduction of the Cybersecurity Maturity Model Certification (CMMC) which level 2 is entirely based on NIST 800-171, an organization could obtain a certification against the NIST 800-171 requirements.


NIST 800-171 Preparation and tips

Well we take care of the preparation piece at TrustCloud! However, though you can use a GRC tool for preparation, there are still some important considerations:

  • Make sure you have a dedicated team to handle the effort that an NIST 800-171 preparation demands. Compliance is a team effort and does require intent and continual effort, making sure you have a clear goal and drive will help you succeed in this endeavor.
  • Perform an internal assessment to determine your gaps. This will help you determine how much time is needed. This is also something TrustCloud can help you with.
  • Document, document, document everything! If its not documented, it is not happening!

We have curated for you a toolkit to help you in your NIST 800-171 journey! Follow each article below

Join the conversation

Twitter Facebook LinkedIn

❤️  Joyfully crafted by a 100% distributed team.