If you are a defense contractor handling Controlled Unclassified Information (CUI), then you are required to implement the 110 security controls spelled out in NIST 800-171. That’s been the case since 2017, but self-assessment of compliance has been permitted until now. That will change under the DoD’s Cybersecurity Maturity Model Certification (CMMC) program, which will require third-party assessments to verify compliance with NIST 800-171.

This blog explains what you need to know about NIST 800-171 and ways to make compliance simpler + more affordable.

What is NIST 800-171?

NIST SP 800-171 is a set of guidelines for protecting the confidentiality of CUI. Defense contractors need to follow these guidelines to show they can adequately secure the defense information in their contracts, as required by DFARS clause 252.204-7012. If a manufacturer is part of the supply chain for the Department of Defense (DoD), General Services Administration (GSA), NASA, or other federal or state agencies, implementing the security requirements in NIST SP 800-171 is essential.

What is CUI?

CUI, or Controlled Unclassified Information, is information created or held by the Federal government, or by an organization on its behalf. This information needs to be protected and shared according to certain laws, regulations, or policies.

NIST 800-171 stipulates 110 security controls, along with 320 objectives to help assess whether the controls are being effectively implemented or not. Each control has anywhere from one to 15 objectives associated with it. Every objective associated with a control must be met for that control to be satisfied, as shown in the figure below.

How 320 objectives relate to 110 NIST 800-171 compliance controls

What is NIST 800-171 compliance?

NIST 800-171 compliance involves meeting the 110 controls and 320 objectives in the standard.  For DoD contractors, NIST 800-171 compliance is essential and also necessary for achieving CMMC Level 2 certification, as both standards have the same security requirements. CMMC will enforce these requirements through mandatory third-party assessments instead of self-attestation, increasing cybersecurity across the Defense Industrial Base (DIB). Failing a CMMC assessment will disqualify a company from DoD contracts.

The current version of NIST 800-171 is Revision 2. Although NIST is working on Revision 3, until it is finalized, any contract with a DFARS 7012 clause requires compliance with Revision 2. The timing for Revision 3 is not yet announced, so defense contractors should continue to focus on complying with NIST 800-171 Revision 2 for now.

Who needs to comply with NIST 800-171?

Any organization handling CUI must follow NIST 800-171 guidelines. This includes prime contractors working directly with the DoD, as well as all subcontractors, universities, and research institutions. Cybercriminals often target smaller subcontractors, making compliance crucial for securing CUI.

CMMC will enforce NIST SP 800-171 compliance through third-party assessments. Meanwhile, defense contractors must conduct self-assessments and report their results to the DoD via the Supplier Performance Risk System (SPRS). Low scores indicate security risks and noncompliance.

The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) can audit any defense contractor for NIST 800-171 compliance, similar to IRS audits. Demonstrating progress toward a good NIST 800-171 score is crucial.

The Department of Justice (DoJ) is also increasing enforcement with its Civil Cyber-Fraud Initiative, holding contractors accountable for cybersecurity through the False Claims Act and encouraging whistleblowers. For example, Georgia Tech faces a complaint for falsifying NIST 800-171 compliance, with the DoJ expected to file its own complaint.

Read our Guide to CMMC, used by over 5,000 defense contractors

What are the NIST 800-171 controls?

There are 14 control families in NIST 800-171 and 110 controls spread out across the 14 families. Each family has specific requirements and guidelines that organizations must follow to ensure they are effectively protecting CUI within their information systems

  1.  Access Control (AC) – Focuses on limiting information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). – Controls include account management, access enforcement, and session termination.
  2. Awareness and Training (AT) – Ensures that managers, system administrators, and users of information systems are made aware of the security risks associated with their activities and are trained to carry out their security-related responsibilities. Includes security awareness training and role-based security training.
  3. Audit and Accountability (AU) – Provides guidelines for creating, protecting, and retaining information system audit records. Involves auditing
  4. Configuration Management (CM)– Focuses on establishing and maintaining baseline configurations and inventories of information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Includes configuration change control and security impact analysis.
  5. Identification and Authentication (IA) – Ensures that the identity of users, processes, or devices is verified as a prerequisite to allowing access to organizational information systems. – Covers user identification, multi-factor authentication, and device identification.
  6. Incident Response (IR) – Establishes operational incident handling capabilities for detecting, analyzing, responding to, and reporting cybersecurity incidents. Involves incident response planning, incident detection, and response activities. 
  7. Maintenance (MA) – Addresses the maintenance of information systems, including performing periodic and timely maintenance, providing effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance. Includes controlled maintenance and maintenance tools. 
  8. Media Protection (MP)– Involves protecting information system media, both digital and non-digital, limiting access to information-on-information system media to authorized users, and sanitizing or destroying information system media before disposal or reuse. Covers media access, marking, and transport.
  9. Personnel Security (PS) – Ensures that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions. Includes personnel screening and termination procedures.
  10. Physical Protection (PE) – Addresses physical access control measures for protecting information systems and the facilities in which they are housed. Involves physical access authorizations, monitoring, and control of physical access. 
  11. Risk Assessment (RA) – Establishes the processes for identifying and managing risks to organizational operations, organizational assets, individuals, and other organizations. Includes risk assessment, vulnerability scanning, and risk management strategies.
  12. Security Assessment (CA) – Provides guidelines for periodically assessing the security controls in organizational information systems to determine if the controls are effective in their application. Involves control assessments, continuous monitoring, and plan of action and milestones (POAM).
  13. System and Communications Protection (SC) – Ensures that organizations implement technical security controls to safeguard the integrity and confidentiality of information at rest and in transit. Covers cryptographic protections, boundary protection, and transmission confidentiality.
  14. System and Information Integrity (SI) – Ensures that information systems are protected against unauthorized changes and that detected security flaws are promptly addressed. Includes flaw remediation, malicious code protection, and monitoring for unauthorized personnel, connections, devices, and software.

How to become compliant?

Now is the time to take action to improve your organization’s cybersecurity posture. Here are the key steps to take to achieve NIST 800-171 compliance:

Familiarize yourself with NIST 800-171 requirements. NIST 800-171 has 110 security controls, all focused on protecting CUI. The controls are organized into 14 different groups, or families, such as Access Control, and Configuration Management. As illustrated above, 320 objectives are distributed across the 110 controls. The objectives are an excellent starting point for figuring out how best to implement the controls. We recommend that the NIST 800-171 website, which includes a complete list of helpful supplemental materials, serves as your primary source to learn more.

Scope your compliance boundary. Determine who in your organization accesses CUI, which devices process it and, importantly, whether you can create a CUI enclave separate from the part of your organization that doesn’t handle CUI . If only a portion of your organization handles CUI, it makes sense to narrow the scope of the security requirements as much as is reasonably possible. A smaller scope means a simpler compliance assessment, saving you time and money.

Adopt a platform to secure CUI. File sharing and email is how CUI is most frequently transmitted. Ask your Cloud Service Provider (CSP) how it protects files and emails, and for documentation showing if, and how, it supports NIST 800-171 compliance. Any reputable CSP should be able to provide that documentation easily and quickly. Your CSP also should meet DFARS 7012 c-g requirements, which center on incident reporting; FedRAMP Baseline or Equivalent standards, or higher; and use a FIPS 140-2 validated cryptographic module if encryption is used to protect CUI.

Develop compliance documentation. Documentation of your organization’s compliance entails thorough and meticulous work. The first task you’ll need to tackle is development of a System Security Plan (SSP) as required by NIST 800-171. The SSP explains how your organization meets each of NIST 800-171’s 110 controls. The SSP is the foundational document for a NIST 800-171 assessment and is a prerequisite for any DoD contract. Additional documentation including, for example, policies and procedures associated with each control, are also needed.

Conduct your NIST 800-171 self-assessment. The assessment should be done according to NIST SP 800-171A, as described above. That methodology will result in a self-assessment score, which must be submitted via the DoD’s SPRS portal. If your SPRS score is less than 110—the highest score possible—then you’ll need to create Plans of Actions & Milestones (POA&Ms) for the controls not met, and indicate by what date those security gaps will be remediated and a score of 110 will be achieved.

Identify partners and get the help you need. It’s understandable that many organizations lack the internal cybersecurity expertise to self-assess accurately and cost effectively. Outside partners can save time and money if you get stuck and need help. Hire consultants or organizations that are already familiar with the software platform you’re using to protect CUI, as that will streamline the engagement and get you over the finish line to NIST 800-171 compliance faster.

Again, get started now. Procrastinating means risking that your business won’t be eligible to do work for the DoD. Informed estimates by consultants who do this work are that it takes anywhere from 12-18 months to meet NIST 800-171 requirements. That exceeds the time frame during which strict DoD enforcement of NIST 800-171 will be cemented into law.

Your compliance checklist?

This checklist can help you prepare for NIST 800-171 compliance.

  1. Make sure you have complete stakeholder buy-in. Ensure that your entire company understands the importance of NIST 800-171 compliance and protecting CUI. Make sure you have executive buy in. On that front, see PreVeil’s blog, Six IT Talking Points: Briefing your CEO on DoD compliance, to help you have the conversation you need to have with your CEO and other top leaders in your organization.
  2. Identify the scope of your environment. Find where CUI is located in your organization. The greater the scope, the more costly protection and compliance will be, in terms of both time and money. See PreVeil’s blog on creating a CUI enclave.
  3. Limit access to CUI. To improve efficiency, limit the scope of your environment as much as possible. Anyone who doesn’t need to touch CUI to do their job should not have access to that information. This goes both for employees and software.
  4. Adopt FIPS 140-2 validated technology to protect CUI . Ensure that the encryption technology you’re using relies on FIPS 140-2 cryptographic modules, as required by NIST 800-171. To learn more, see PreVeil’s blog, What is FIPS 140-2 and Why Is It Important?
  5. Create an SSP and supporting documentation. A robust SSP with all supporting documentation and procedures is a fundamental prerequisite to achieving NIST 800-171 compliance. See PreVeil’s blog, How to Create a System Security Plan (SSP), to learn more.
  6. Conduct a self-assessment. After you’ve developed your SSP, conduct a self-assessment using the methodology stipulated in NIST 800-171A. The highest possible SPRS score is 110, which means that your organization complies with every one of NIST 800-171’s 110 security controls. A perfect score after your first assessment is rare, though—instead, at first, your aim is to learn your current state of compliance.
  7. Identify gaps in technology and policy. Once you have a clear view of your current standing in relation to NIST 800-171 you can identify where you’ll need to do some work to achieve compliance.
  8. Create POA&Ms. Plans of Actions and Milestones (POA&Ms) are time-limited, step-by-step plans of how you’ll close existing gaps to achieve any unmet security controls and objectives. To learn more, see PreVeil’s blog, What is a POA&M?
  9. Work on closing those POA&Ms. Once you’ve planned how to close your security gaps, execute those plans. POA&Ms are time-limited and under CMMC will be acceptable only on a limited basis, so you shouldn’t think of them as loopholes out of requirements. Instead, they are guides for you to follow to achieve compliance with NIST 800-171.
  10. Identify partners to get the help you need. You needn’t take on NIST SP 800-171 compliance on your own. Depending upon your organization’s circumstances, it may be most cost effective to bring in outside help after you’ve adopted a platform to secure CUI and done your own NIST 800-171 assessment to identity security gaps. From there outside partners can help you save time and money by creating a smooth path to NIST 800-171 compliance.

How PreVeil helps you meet compliance

PreVeil’s proven solution is secure, easy to use, and cost effective. PreVeil Drive allows users to encrypt, store, and share their files containing CUI. PreVeil Email allows users to send and receive emails securely using their existing email address. It adds an encrypted mailbox to Outlook and Gmail that supports NIST 800-171 requirements for digital communications. Specifically, PreVeil’s file sharing and email platform supports 102 of the 110 NIST 800-171 security controls, and 260 of the 320 assessment objectives specified in NIST 800-171A.

PreVeil also supports requirements that extend beyond NIST 800-171. PreVeil’s additional key compliance attributes include:

  • Meets FedRAMP Baseline Moderate Equivalent standards
  • Encrypts and stores data on FedRAMP High AWS GovCloud
  • Meets DFARS 252.204-7012 (c)-(g), which stipulate requirements for cyber incident reporting
  • Meets FIPS 140-2 standards for cryptographic modules used for encryption.

PreVeil is trusted by more than 1,200 small and mid-size defense contractors to meet their compliance needs faster and more affordably.