NIST SP 800-171

US Government defense and federal contractors (DFARS and FAR) must protect Controlled Unclassified Information (CUI).

Become compliant to avoid getting blocked from, or forced to exit, the federal marketplace.

Here is what you need to know, and how CyberDefenses can help.

What is NIST SP 800-171?

NIST Special Publication 800-171 is the new security and privacy standard that the US government and Department of Defense will impose upon non-federal organizations seeking to contract with the US government.

Specifically, SP 800-171 is about protecting CUI. CUI is any sensitive federal information routinely processed, stored, or transmitted by a federal or defense contractor in conjunction with the support and/or delivery of essential products and services to federal agencies.

Examples of CUI

Examples include credit card and other financial data, web and electronic mail services, background investigative data for security clearances, healthcare data, data required to provide cloud services, and data associated with developing communications, satellite, and weapons systems.

nist-cui-small

Who must be Compliant?

Organizations that will be affected by CUI requirements include local governments, colleges, universities, independent research organizations, vendors, sub-contractors and suppliers who process, store, or transmit CUI.

What processes, personnel and controls areas are affected by NIST SP 800-171?

Organizations that handle CUI must verify compliance in 14 key areas:

Access Control Who is authorized to view CUI data?
Awareness and Training Are people properly trained in how to manage this info?
Audit and Accountability Are records kept of authorized and unauthorized access? Can violators be identified?
Configuration Management How are your networks and safety protocols designed and documented?
Identification and Authentication Which users are approved to access CUI and how are they verified prior to gaining access?
Incident Response What happens if a breach or security threat occurs, including proper notification?
Maintenance What program is in place for maintenance, and who owns that responsibility?
Media Protection How are electronic and hard copy records and backups stored, and who has access?
Maintenance What program is in place for maintenance, and who owns that responsibility?
Physical Protection Who has access to your systems, equipment, and storage environments?
Personnel Security How are employees screened prior to gaining CUI access permission?
Risk Assessment How are your defenses tested? Are operations or individual readiness regularly verified?
Security Assessment Are processes and procedures still effective?
System and Communications Protection Is information systematically monitored and controlled at key transmission points?
System and Information Integrity How quickly are threats detected, identified and remediated?

Is there a compliance deadline?

Yes. Organizations processing CUI under DFARS are required to be compliant with NIST 800–171 security requirements no later than December 31, 2017. Organizations processing CUI under the FAR must be compliant by November 2018.

How can CyberDefenses help?

We offer three informative – and increasingly actionable – steps towards getting your business compliant:

Looking to become more knowledgeable at large?

Join one of our NIST SP 800-171 webinars starting early July.

We’ll post a link to our webinar schedule in a couple of days. If you want to be sure not to miss that, fill out the contact form below and we’ll get back to you as soon as the dates are finalized.

Have staff that needs requisite training?

Get deep knowledge fast by attending our online training class, coming up in July.

Learn More About the Class
NIST-4-steps

Ready to go started now on compliance and need help?

CyberDefenses has a NIST SP 800-171 compliance program ready to get you on the right path.

It is a four-stage process (Survey, Interview, Verification, Plan of Action) that results in a Compliance Gap Report, Customer Attestation, and Plan of Action and Milestones (POAM) report.

We’ve performed this service for a number of clients. We’ll get you where you need to be – fast and cost-effectively.

Download the Datasheet to Learn More