NIST 800-171 – Why, What is it, and Where to Get Started


Earlier in 2017 DOD contractors learned about the new DFARS clause 252.204.7012. It required that existing contractors, and in many cases subcontractors, be NIST 800-171 compliant before December 31, 2017.

Many have missed that deadline, or new contractors are searching for help with this new requirement. I wrote this article to give you the breakdown of what you need to know about NIST 800-171 and being compliant.

Why is this happening?

In short, DOD is requiring anyone dealing with CDI (Covered Defense Information) to get serious about their cyber security. This is DOD’s attempt to bring the level of security up to the common standard. While this may be one more thing on your plate, it is actually a good thing. Don’t believe me yet, read the rest of the article and let’s see if I can convince you.

What if I choose not to be compliant?

It’s a DFAR requirement, so if you are a DOD contractor or subcontractor you will most likely lose your contracts. There are options for sending the DOD CIO’s office exemption requests, but good luck with that!

What is NIST 800-171?

New requirements for doing business with the Government often cause businesses everything from anxiety to irritation. DON’T PANIC! This one really isn’t that bad. NIST 800-171 is a framework that specifies how your information systems and policies need to be setup in order to protect Controlled Unclassified Information (CUI).

Here’s a link to the actual document. It’s a PDF, and it will open in a new tab:

NIST 800.171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

Can you do it yourself?

Yes, however, ask yourself:

  • Are you or your staff qualified to objectively evaluate your own systems and policies?

  • Is this the best use of your time?

  • Will hiring an outsourced Cyber Security Compliance company be better, faster and cheaper?

Where do I start?

The steps for starting are the same whether you are outsourcing to a cyber security company or running everything in house.

NIST 800-171 photo1

Perform a Gap Analysis

This is a focused Security Assessment in which you work through all of the controls of the NIST 800-171 and determine where you are currently compliant and where you need work. This involves interviews with your staff, looking over network maps and configurations and filling out the compliance matrix.

Where do you process CDI and CUI?

The main focus of the exercise is to protect Covered Defense Information (CDI) and Controlled Unclassified Information (CUI). While your overall network needs to be assessed you may be able to greatly reduce your implementation costs if you focus on isolating and applying the compliance matrix only the systems that process CDI and CUI.

Here is some more information about CUI (will open in a new tab):

About Controlled Unclassified Information from
Wikipedia : Controlled Unclassified Information

Assess SAS Vendors for FEDRAMP Certification

Luckily, you may already be compliant if your SAS providers are FEDRAMP certified. In fact, this may be the opportunity you have been waiting for to make the push to SAS services like Office365 and Google G Suite, both of which have components that are FEDRAMP certified.

Establish an Incident Response Plan

An Incident Response Plan simply states how you should act during a cyber intrusion or insider investigation. This is the piece where companies can get in over their head and realize later that they should have outsourced this process from the beginning. If you have one of our Incident Response $0 MSA plans, you're already covered most of the way. Your Incident Response Plan becomes easy to document and checked off the list quickly.

Implement Changes to be Compliant

Most likely you will have changes that need to be researched and implemented for your company to be compliant. For example, adding two factor authentication or ensuring that there are no shared passwords. If you have your checklist from the Gap Analysis, this will be easy to plan and implement. However, don’t be afraid to reach out to your Cyber Security Vendor and ask for help!

Can Roka Security Help Us be NIST 800-171 Compliant?

NIST 800-171 photo 2

Yes! We will perform a Security Assessment customized and targeted for the NIST 800-171 directive. Roka Security will assess your systems, environment, polices and procedures and provide you with a comprehensive detailed report to help you become compliant. At the end you will have your NIST 800-171 Checklist matrix and supporting documentation to show your compliant.

Closing Out

This article was just to make you aware that being NIST 800-171 compliant is mandatory if you are a DOD contractor or a sub contractor to a DOD contractor. You will need to decide if you want to do everything in house and spend the time learning or outsource the process to your Cyber Security Vendor. If you already have a Cyber Security Staff, this will probably go quickly and easily, since you are already mostly compliant.

If you know you need help, and don’t want to be an expert on NIST 800-171, please
Contact Us
to get a free quote on how we can help you be compliant before the December 31, 2017 deadline!

Links for more information:

NIST Special Publication 800-171 (PDF) : Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204.7012.

About Patrick Stump

The CEO and founder of Roka Com, Patrick has been a key player in both offensive cyber intrusion and security operations with multiple branches and agencies of the United States Government (USG), the military, and commercial industry.

Connect with Patrick on LinkedIn