Let’s Talk About NIST SP 800-171


Remember when we mentioned the clock is ticking on NIST SP 800-171 compliance? Well, where do you start?

The first step to NIST SP 800-171 is actually to make sure you have the right tools to get started with NIST SP 800-171!  Check your version—the newest one was released December 2016, and you don’t want to work with an outdated version.  NIST always posts the newest version at http://csrc.nist.gov/publications/PubsSPs.html#SP 800 .

How does the government know when you’ve fulfilled the revision reqs? The short answer is that communicating compliance is self-attestation based. For federal contractors, they have not set any details or examples, and there is no certification program. Federal and DoD contracting officers individually determine how compliance will be communicated by their venders, some may be via a custom formal process, some may be a simple email, others may appreciate the sample self-attestation statement from CyberDefenses. Learn more about our NIST SP 800-171 compliance service here

The problem this creates is that a vendor or anyone with little depth or experience may not be able to accurately recognize what reporting forms are successful.  Further investigation of the 800-171 shows greater depth—for example, 110 controls seem simple, but there is an indicated appendix mapping out a control framework with significant changes in granularity, doubling the controls. Because of the complex nature of these compliance requirements, companies that do not have a history of information security due diligence should not expect to be independently compliant by the deadline (December 31, 2017 for defense contractors).  Organizations that do not possess this history will need to do several things—either they will need to get a crash course in information security, or they’ll need to document gaps in their information using a POA&M (Plan of Actions and Milestones).

However, the non-defense federal contractors are on a schedule that is laid out with a little more room.  As each top level federal agency determines their course of action in 2018, they are required to provide directions specific to their organization’s course of action to their suppliers, who in turn have six months to implement and then instruct the next level of the supply chain.  This is a multi-tiered system, and will continue all the way down the supply chain.

NIST SP 800-171 Compliance is not as simple as buying new security products and installing them; compliance requires careful inspection to ensure that the products support the business’ individual model for compliance.

 CyberDefenses is here to help.  If you are interested in performing your own NIST SP 800-171 assessment, then you should get trained by experts that perform these assessments today and can provide you with the templates you need to quickly get the job done.  Sign up for your DIY NIST Compliance Assessment training here

 Do you need help to understand the next steps in your assessment?  Click here to find more information and fill out the “contact us” form for a free initial conversation on how this NIST specification may impact your organization. 


About the author

CyberDefenses Inc.