NIST SP 800-171

US Government defense and federal contractors must protect Controlled Unclassified Information (CUI)

Become compliant.

Avoid getting blocked from, or forced to exit, the federal marketplace.

Here is what you need to know, and how CyberDefenses can help.

What is NIST SP 800-171?

NIST Special Publication 800-171 is the new security and privacy standard that the US government and Department of Defense will impose upon non-federal organizations seeking to contract with the US government.

Specifically, SP 800-171 is about protecting CUI. CUI is any sensitive federal information routinely processed, stored, or transmitted by a federal or defense contractor in conjunction with the support and/or delivery of essential products and services to federal agencies.

Examples of CUI

Examples include credit card and other financial data, web and electronic mail services, background investigative data for security clearances, healthcare data, data required to provide cloud services, and data associated with developing communications, satellite, and weapons systems.


Who must be Compliant?

Organizations that will be affected by CUI requirements include local governments, colleges, universities, independent research organizations, vendors, sub-contractors and suppliers who process, store, or transmit CUI.


Access Control Who is authorized to view CUI data?
Awareness and Training Are people properly trained in how to manage this info?
Audit and Accountability Are records kept of authorized and unauthorized access? Can violators be identified?
Configuration Management How are your networks and safety protocols designed and documented?
Identification and Authentication Which users are approved to access CUI and how are they verified prior to gaining access?
Incident Response What happens if a breach or security threat occurs, including proper notification?
Maintenance What program is in place for maintenance, and who owns that responsibility?
Media Protection How are electronic and hard copy records and backups stored, and who has access?
Maintenance What program is in place for maintenance, and who owns that responsibility?
Physical Protection Who has access to your systems, equipment, and storage environments?
Personnel Security How are employees screened prior to gaining CUI access permission?
Risk Assessment How are your defenses tested? Are operations or individual readiness regularly verified?
Security Assessment Are processes and procedures still effective?
System and Communications Protection Is information systematically monitored and controlled at key transmission points?
System and Information Integrity How quickly are threats detected, identified and remediated?

Is there a compliance deadline?

Organizations processing CUI under DFARS are required to be compliant with NIST 800–171 security requirements no later than December 31, 2017.

Organizations processing CUI under the FAR must be compliant by November 2018.

How Can CyberDefenses help?

Three ways!

Introduction to NIST SP 800-171 Webinar

Learn directly from the source in our hosted webinar with Mark Riddle, co-author of NIST SP 800-171.


NIST 800-171 Compliance Program

Let CyberDefenses put your organization on the right path with our NIST SP 800-171 compliance program.

Compliance Program

NIST 800-171 Do It Yourself Training Class

Take one of our deep-dive training classes to get the process and execution knowledge (including our CUI guideline templates) to do it yourself.

DIY Training Class