If you are a defense contractor handling Controlled Unclassified Information (CUI), then you are required to implement the 110 security controls stipulated in NIST 800-171. That’s been the case since 2017, but self-assessment of compliance has been permitted and as a result implementation throughout the Defense Industrial Base (the DIB) has been weak. That will change under the DoD’s Cybersecurity Maturity Model Certification (CMMC) program, which establishes third-party assessment mechanisms to verify compliance with NIST 800-171. CMMC requirements are expected to start to appear in defense contracts in late 2024.

This blog explains what you need to know about NIST 800-171 and best practices for achieving compliance.

Quick Guide to Get Started with CMMC

What is NIST 800-171?

If a defense contract entails handling CUI, then it will contain the DFARS 252.204-7012 clause, Safeguarding Covered Defense Information and Cyber Incident Reporting. DFARS 7012 requires contractors to protect CUI in accordance with NIST 800-171, which the National Institute of Standards and Technology (NIST) developed specifically to protect CUI.

NIST 800-171 stipulates 110 security controls, along with 320 objectives to help assess whether the controls are being effectively implemented or not. Each control has anywhere from one to 15 objectives associated with it. Every objective associated with a control must be met for that control to be satisfied, as shown in the figure below.

NIST 800-171: Assessment Objectives and Security Controls

Compliance with NIST 800-171 is not only required today, it also will be the key to achieving CMMC Level 2 certification. That’s because the security requirements for CMMC Level 2 and NIST 800-171 are totally aligned.

By replacing self-attestation with mandatory third-party assessments, CMMC will drive compliance with NIST 800-171 and raise cybersecurity levels throughout the DIB. Failing a CMMC assessment will render a company ineligible for contracts with the DoD.

The current version of NIST 800-171, in effect now, is Revision 2. You may know that NIST has been working on a Revision 3 of NIST 800-171. But until Rev. 3 is finalized, any contract with a DFARS 7012 clause requires compliance with Rev. 2. Details about the timing and transition to Rev. 3 have not yet been announced. Our recommendation is that defense contractors continue to focus on compliance with NIST 800-171 Rev. 2 for the foreseeable future.

Who needs to comply with NIST 800-171?

Any organization that handles CUI must comply with NIST 800-171. This includes prime contractors working directly for the DoD as well as all subcontractors that handle CUI, including universities and research institutions . This is critical for securing CUI, as cybercriminals know that primes are well-defended and so focus much of their energy further down the supply chain, and then work their way up from there.

CMMC will serve to enforce NIST SP 800-171 compliance via third-party assessments. In the meantime, defense contractors are required to conduct self-assessments of their NIST 800-171 compliance and submit their results to the DoD via its Supplier Performance Risk System (SPRS). Low scores are a red flag of a security risk and indicate noncompliance with NIST 800-171. A 2022 DoD memo instructed its contracting officers on how to proceed in such instances:

“Failure to have or to make progress on a plan to implement NIST SP 800-171 requirements may be considered a material breach of contract requirements [emphasis added]. Remedies for such a breach may include: withholding progress payments; foregoing remaining contract options; and potentially terminating the contract in part or in whole.”

Further, the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)—DoD’s ultimate authority on compliance—has stepped up its pace, and just like the IRS can audit any taxpayer, the DIBCAC can select any defense contractor for a NIST 800-171 audit. One of your best defenses would be to demonstrate that your organization is on a path toward achieving a good NIST 800-171 score.

The Department of Justice (DoJ) has also raised the stakes for compliance with its Civil Cyber-Fraud Initiative aiming to hold contractors accountable for their cybersecurity. DoJ is utilizing the power of the False Claims Act to help enforce cybersecurity compliance, and is encouraging whistleblowers to come forward. In fact, Georgia Tech is currently facing a complaint filed by two whistleblowers for falsifying its NIST 800-171 compliance. DoJ recently announced its intention to intervene in the case and is expected to file its own amended complaint against the institution.

The benefits of compliance extend beyond meeting contractual obligations and avoiding False Claims cases: organizations with higher, documented cybersecurity levels gain a competitive advantage versus their competitors in the DIB .

Achieving NIST 800-171 compliance

Now is the time to take action to improve your organization’s cybersecurity posture. Here are the key steps to take to achieve NIST 800-171 compliance:

Familiarize yourself with NIST 800-171 requirements. NIST 800-171 has 110 security controls, all focused on protecting CUI. The controls are organized into 14 different groups, or families, such as Access Control, and Configuration Management. As illustrated above, 320 objectives are distributed across the 110 controls. The objectives are an excellent starting point for figuring out how best to implement the controls. We recommend that the NIST 800-171 website, which includes a complete list of helpful supplemental materials, serves as your primary source to learn more.

Scope your compliance boundary. Determine who in your organization accesses CUI, which devices process it and, importantly, whether you can create a CUI enclave separate from the part of your organization that doesn’t handle CUI . If only a portion of your organization handles CUI, it makes sense to narrow the scope of the security requirements as much as is reasonably possible. A smaller scope means a simpler compliance assessment, saving you time and money.

Adopt a platform to secure CUI. File sharing and email is how CUI is most frequently transmitted. Ask your Cloud Service Provider (CSP) how it protects files and emails, and for documentation showing if, and how, it supports NIST 800-171 compliance. Any reputable CSP should be able to provide that documentation easily and quickly. Your CSP also should meet DFARS 7012 c-g requirements, which center on incident reporting; FedRAMP Baseline or Equivalent standards, or higher; and use a FIPS 140-2 validated cryptographic module if encryption is used to protect CUI.

Develop compliance documentation. Documentation of your organization’s compliance entails thorough and meticulous work. The first task you’ll need to tackle is development of a System Security Plan (SSP) as required by NIST 800-171. The SSP explains how your organization meets each of NIST 800-171’s 110 controls. The SSP is the foundational document for a NIST 800-171 assessment and is a prerequisite for any DoD contract. Additional documentation including, for example, policies and procedures associated with each control, are also needed.

Conduct your NIST 800-171 self-assessment. The assessment should be done according to NIST SP 800-171A, as described above. That methodology will result in a self-assessment score, which must be submitted via the DoD’s SPRS portal. If your SPRS score is less than 110—the highest score possible—then you’ll need to create Plans of Actions & Milestones (POA&Ms) for the controls not met, and indicate by what date those security gaps will be remediated and a score of 110 will be achieved.

Identify partners and get the help you need. It’s understandable that many organizations lack the internal cybersecurity expertise to self-assess accurately and cost effectively. Outside partners can save time and money if you get stuck and need help. Hire consultants or organizations that are already familiar with the software platform you’re using to protect CUI, as that will streamline the engagement and get you over the finish line to NIST 800-171 compliance faster.

Again, get started now. Procrastinating means risking that your business won’t be eligible to do work for the DoD. Informed estimates by consultants who do this work are that it takes anywhere from 12-18 months to meet NIST 800-171 requirements. That exceeds the time frame during which strict DoD enforcement of NIST 800-171 will be cemented into law.

How is NIST 800-171 compliance assessed?

There are three possibilities for assessing NIST 800-171 compliance (two current and one to come):

First, defense contractors currently are permitted to self-assess their compliance with NIST 800-171 and submit the results to the DoD via SPRS. Self-assessments are required once every three years, although SPRS scores must be kept up to date to reflect changes—for better or worse—that occur between assessments.

To help contractors learn more about what’s required of them, NIST released Special Publication (SP) 800-171A, Assessing Security Requirements for Controlled Unclassified Information. That publication stipulates the 320 assessment objectives against which organizations must check their implementation of the 110 security controls. NIST notes that NIST SP 800-171A is “the authoritative source of the assessment procedures.”

Second, DoD has created an option for a NIST 800-171 assessment that falls between the current self-assessment and the CMMC-mandated third-party assessment to come: Contractors can volunteer for a Joint Surveillance Voluntary Assessment, or JSVA. JSVAs are conducted by C3PAOs under the supervision of DIBCAC.

JSVAs present an opportunity for contractors to stand out from their competitors for DoD contracts. That’s because JSVAs are based on pending CMMC certification requirements—which for Level 2 mirror NIST 800-171—and JSVA results will be directly transferable to CMMC Level 2 certification requirements as soon as CMMC is finalized.

Third, when CMMC is implemented, defense organizations will have a clause in their contract requiring CMMC certification at the level appropriate to the nature of the information the contract entails. If the contract involves handling CUI, contractors will need to achieve at least CMMC Level 2. At Level 2, the vast majority of contractors will need to undergo third-party assessments of their compliance with NIST 800-171 once every three years. Those assessments will need to be conducted by accredited C3PAOs (CMMC Third Party Assessment Organizations).

Your NIST 800-171 compliance checklist

This checklist can help you prepare for NIST 800-171 compliance.

  1. Make sure you have complete stakeholder buy-in. Ensure that your entire company understands the importance of NIST 800-171 compliance and protecting CUI. Make sure you have executive buy in. On that front, see PreVeil’s blog, Six IT Talking Points: Briefing your CEO on DoD compliance, to help you have the conversation you need to have with your CEO and other top leaders in your organization.
  2. Identify the scope of your environment. Find where CUI is located in your organization. The greater the scope, the more costly protection and compliance will be, in terms of both time and money. See PreVeil’s blog on creating a CUI enclave.
  3. Limit access to CUI. To improve efficiency, limit the scope of your environment as much as possible. Anyone who doesn’t need to touch CUI to do their job should not have access to that information. This goes both for employees and software.
  4. Adopt FIPS 140-2 validated technology to protect CUI . Ensure that the encryption technology you’re using relies on FIPS 140-2 cryptographic modules, as required by NIST 800-171. To learn more, see PreVeil’s blog, What is FIPS 140-2 and Why Is It Important?
  5. Create an SSP and supporting documentation. A robust SSP with all supporting documentation and procedures is a fundamental prerequisite to achieving NIST 800-171 compliance. See PreVeil’s blog, How to Create a System Security Plan (SSP), to learn more.
  6. Conduct a self-assessment. After you’ve developed your SSP, conduct a self-assessment using the methodology stipulated in NIST 800-171A. The highest possible SPRS score is 110, which means that your organization complies with every one of NIST 800-171’s 110 security controls. A perfect score after your first assessment is rare, though—instead, at first, your aim is to learn your current state of compliance.
  7. Identify gaps in technology and policy. Once you have a clear view of your current standing in relation to NIST 800-171 you can identify where you’ll need to do some work to achieve compliance.
  8. Create POA&Ms. Plans of Actions and Milestones (POA&Ms) are time-limited, step-by-step plans of how you’ll close existing gaps to achieve any unmet security controls and objectives. To learn more, see PreVeil’s blog, What is a POA&M?
  9. Work on closing those POA&Ms. Once you’ve planned how to close your security gaps, execute those plans. POA&Ms are time-limited and under CMMC will be acceptable only on a limited basis, so you shouldn’t think of them as loopholes out of requirements. Instead, they are guides for you to follow to achieve compliance with NIST 800-171.
  10. Identify partners to get the help you need. You needn’t take on NIST SP 800-171 compliance on your own. Depending upon your organization’s circumstances, it may be most cost effective to bring in outside help after you’ve adopted a platform to secure CUI and done your own NIST 800-171 assessment to identity security gaps. From there outside partners can help you save time and money by creating a smooth path to NIST 800-171 compliance.

PreVeil’s solution

PreVeil’s proven solution is secure, easy to use, and cost effective. PreVeil Drive allows users to encrypt, store, and share their files containing CUI. PreVeil Email allows users to send and receive emails securely using their existing email address. It adds an encrypted mailbox to Outlook and Gmail that supports NIST 800-171 requirements for digital communications. Specifically, PreVeil’s file sharing and email platform supports 102 of the 110 NIST 800-171 security controls, and 260 of the 320 assessment objectives specified in NIST 800-171A.

PreVeil also supports requirements that extend beyond NIST 800-171. PreVeil’s additional key compliance attributes include:

  • Meets FedRAMP Baseline Moderate Equivalent standards
  • Encrypts and stores data on FedRAMP High AWS GovCloud
  • Meets DFARS 252.204-7012 (c)-(g), which stipulate requirements for cyber incident reporting
  • Meets FIPS 140-2 standards for cryptographic modules used for encryption.

To learn more

PreVeil is trusted by more than 1,000 small and mid-size defense contractors to meet their compliance needs faster and more affordably.