Need help with NIST 800-171 compliance?

Have you been told your business needs to NIST 800-171 compliance by a customer or the government?

You’re not alone. Businesses all over the US are finding themselves with a new security requirement they know little about. The good news is, it’s probably not as bad as you think.

Who Needs NIST 800-171 Compliance?

Any DOD contractor or vendor that is subject to DFARS clause 252.204.7012. If you signed a new contract as a DOD vendor, contractor or sub contractor, chances are… it’s in your contract. If not, it most likely will be soon!

What is NIST 800-171?

NIST 800-171 is a control framework focused on Protecting Controlled Unclassified Information (CUI) in Non-Federal Systems and Organizations. Like NIST 800-53, you will need to assess your systems and organizations against their risk framework and document how you are meeting each requirement. Therefore, you need to determine if it is more cost effective and practical to do this in house, or hire a company to perform a security assessment for you.

The full NIST document can be downloaded here: NIST.SP.800-171r1.pdf

NIST 800-171 vs NIST 800-53. Why NIST 800-171?

In short, because the government didn’t want to impose the full NIST 800-53 on its contractors. At least that’s the current running theory. Also, NIST 800-171 is focused on the NON-Federal Organizations protection of Controlled Unclassified information and is a much smaller subset of NIST 800-53.


Due to all the ransomware, cyber intrusions and insider threat issues associated with vendors and Controlled Unclassified Information, the DOD decided it was time that their vendors were required to take cyber security seriously.

When Do I Need NIST 800-171 Compliance?

For current contracts, by December 31, 2017. For new contracts with the government, check with your Contract Officer. Which means, you need to get your security assessment started now! You’ll want to keep your risk framework and compliance proof handy in cause of an audit!

But We Use “THE CLOUD”!

Everyone is moving business systems to “The Cloud.” So, how are you going to determine if your cloud vendor is allowed to store CUI? Well, that’s where FEDRAMP comes in. The DFARS states that if you are going to process CUI in a cloud provider, they need to be FEDRAMP certified. Luckily, both Office 365 and Google GSUITE have products on the list!

Need more information?

Check out our blog article for more information:"NIST 800-171: Why, What is it, and Where to Get Started"

About Patrick Stump

The CEO and founder of Roka Com, Patrick has been a key player in both offensive cyber intrusion and security operations with multiple branches and agencies of the United States Government (USG), the military, and commercial industry.

Connect with Patrick on LinkedIn