Do it yourself NIST 800-171 Compliance Assessment


Controlled Unclassified Information (CUI) is at risk and the US Government is getting serious about protecting it. All contractors and sub-contractors that are in the business of providing goods and services to the government need to get serious too. Starting with Executive Order 13556 in 2010 and emphasized with the 2014 Federal Information Security Modernization Act (FISMA Reform) the government recognized problems in the supply chain that place Controlled Unclassified Information (CUI) at risk.

NIST Special Publication 800-171 r1 (December 2016) addresses these risks with 14 information security families and 110 information security controls that draw heavily from NIST 800-53. The Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) now imbed mandatory information security requirements directly into contracts with critical compliance dates as early as December 2017.

Join CyberDefenses to review these new federal requirements, discuss approaches to completing the initial assessment, address requirements and achieve compliance. Includes hands-on exercises on how to do the assessment, as well as providing students with needed templates for the required Plan of Actions & Milestones (POA&M) and the Self Attestation Documents.

Part 1: CUI – Brace yourself for the new federal contract cybersecurity reality
Part 1 includes understanding what Controlled Unclassified Information (CUI) is, why it’s important, the consequences for non-compliance and the multiple timelines for Federal and Defense focused contracts. Understand the compliance process starting with self-assessment, actions to achieve compliance and the new reality of maintaining compliance in the future. Learn to document your status with self-attestation.

Part 2: Build cybersecurity into your bottom line and keep your federal business
Part 2 includes a detailed review of the NIST 800-171 fourteen security families including 110 basic and derived security requirements. We’ll analyze how this specification matures your organization’s culture into a trained, policy and procedure driven workforce that protects the confidentiality of CUI you’re entrusted with.

Part 3: Conduct NIST 800-171 CUI Self-Assessment and create your POA&M
Part 3 includes procedures and analysis for the assessment process, including comprehensive underlying requirement details mandated by appendix D and the CUI specific categories and sub-categories in the CUI Registry. Analysis includes identifying compliance/non-compliance and understanding your security maturity relative to industry standards. Procedures include documenting your findings (i.e. non-compliant controls) and developing your Plan of Actions & Milestones (POA&M) to implement corrections.

Part 4: Build your CUI Self-Attestation and CUI Deliverables
Part 4 includes discussion of the multiple products and deliverables built into NIST 800-171 compliance. Each of these deliverables requires planning, people and resources. In addition to the self-attestation and POA&M, requirements include the Written Information Security Program (WISP), Configuration Management Plan (CMP), Information Security Continuous Monitoring (ISCM), Information System Contingency Plan (ISCP), Incident Response Plan (IRP), Security Awareness Program, Security Assessment Plan (SAP), Security Assessment Report (SAR), and the System Security Plan (SSP).

SKU: N/A Categories: , , ,

Course Objectives

In this course, you will learn about the high level requirements outlined in the NIST Special Publication 800-171. This course will prepare you to perform an assessment to determine whether your organization is compliant and provide you with the templates and tools required to complete it.

Date & Time

Sep 7-8 (Round Rock)
Sep 14-15 (online)
Oct 10-11 (online)
Nov 13-14 (online)
Dec 5-6 (online)

Target Student

This course is intended for IT practitioners, business owners and/or project managers with basic IT knowledge that are charged with understanding the impact of NIST 800-171 on their business.


Cyber Defenses, Inc.
1205 Sam Bass Road, Suite 300
Round Rock, TX 78681
(512) 255-3700

Your Instructors

Dave Gray

Dave Gray is a CISSP, CAP and PMP certified CyberSecurity Leader skilled in securing information systems to achieve information Confidentiality, Integrity and Availability. Dave’s focus is Governance, Risk Management and Compliance (GRC) using information security frameworks established by the National Institute of Standards and Technology (NIST) and the Center for Information Security 20 Critical Security Controls. Dave’s focus area is NIST 800-171, NIST 800-53 and CIS CSC 20 implementation.

Jay MacLaughlin

Biography coming soon.


Certification of Completion


(Online) Dec 5-6
(Online) Nov 13-14
(Online) Oct 10-11
(Online) Sep 14-15
(Round Rock) Sep 7-8