Are you NIST 800-171 ready? The clock is ticking…


If you are a U.S. federal government contractor (or anyone else who touches CUI), you’re probably aware of NIST SP 800-171.  If not, you certainty should be – and fast.  One of our newest services is a program that helps contractors understand the requirements in detail, assess where you stand relative to compliance, and then advises on the necessary steps to achieve compliance as quickly and cost-effectively as possible.

Unconcerned?  Well, hopefully you’re in the clear.  But if not, be aware that if you fail to become compliant before December 31, 2017, the risk of getting blocked from entering – or being forced to exit – the valuable federal marketplace is real.

Let’s walk through what you need to know.

First, what is NIST SP 800-171?  Simply put, federal government contractors (and some other folks too, read on) must protect what is known as Controlled Unclassified Information (CUI).

So, what is CUI? CUI is any sensitive federal information routinely processed, stored, or transmitted by a federal contractor in conjunction with the support and/or delivery of essential products and services to federal agencies. Examples include credit card and other financial data, web and electronic mail services, background investigative data for security clearances, healthcare data, data required to provide cloud services, and data associated with developing communications, satellite, and weapons systems.

Who needs to be concerned?  Well, not just contractors.  Federal information is frequently provided to, or shared with, entities such as state and local governments, colleges and universities, and independent research organizations. So if you are one of those, be assured Uncle Sam wants to know that you are not impacting the government’s ability to successfully carry out designated missions and business operations, including missions and functions related to the critical infrastructure.

OK, now you’re likely wondering what you need to do to be compliant.  NIST 80-171 information security controls are grouped into fourteen families including access controls, configuration controls, and security assessment controls. There are 110 unique basic and derived controls that map to 160 granular, unique, measurable controls.

And, what should you do? CyberDefenses has a NIST SP 800-171 Compliance program ready to get you on the right path.  It is a four-stage process (Survey, Interview, Verification, Plan of Action) that results in a Compliance Gap Report, Customer Attestation, and Plan of Action and Milestones (POAM) report.

We’ve already performed this service for a number of clients. So, odds are, we can get you where you need to be fast, and again, cost-effectively.

Want to know more?

Not sure you need our program just yet, but want to get more information?  Here are three things you can do right away:

First, check out our services data sheet for a good summary of how we can help you achieve compliance

Second, we’ll be holding a few NIST SP 800-171 compliance webinars starting early July. Register for the first (free) 30m webinar here. This will be on July 18th, and hosted by CyberDefenses’ CTO.

Third, get deep knowledge fast by registering for our online training class, which will be held in July.

Regardless of what path you choose – even if you elect to fly solo – take it seriously.  The Feds moved the compliance date once already from 2015 to year-end 2017.  It’s unlikely they’ll move it again.  Don’t get caught short.


About the author

Damon Fleury

Damon Fleury serves as the Chief Technology Officer of CyberDefenses, Inc. He is responsible for technology selection, research and development across the range of security services offered to CDI customers. Prior to CyberDefenses, Damon spent over two decades in engineering, product management and senior leadership roles, with a heavy focus on networking and cybersecurity. In addition to his work within CyberDefenses, Damon is also very active in the cybersecurity start-up community. As a Managing Partner within Manifest, Damon helps enable the cybersecurity community to support the growth and success of Austin-based security startups.