If you are a defense contractor handling Controlled Unclassified Information (CUI), then you are required to comply with the Department of Defense (DoD)’s National Institute of Standards (NIST) 800-171 standard. NIST 800-171 is the industry standard for cybersecurity that ensures CUI’s protection and confidentiality. Contractors have had to meet the 110 NIST 800-171 requirements since 2017, but the rapidly approaching CMMC will ratchet up enforcement of the standard.

Definition: CUI
Controlled Unclassified Information (CUI) is sensitive but unclassified information that requires particular safeguarding to ensure it is properly handled and shared both internally and with outside organizations.

If you are getting started with NIST 800-171 compliance then this blog will explain what you need to know about the standard and best practices for achieving compliance.

What is NIST 800-171

NIST 800-171 is the federal government’s framework for ensuring the security of CUI and standardizing how agencies handle that information. NIST 800-171 is composed of 110 controls divided among 14 families. Each family covers a different aspect of protecting CUI. In order to achieve NIST 800-171 compliance, all 110 controls must be met.

Meeting the NIST 800-171 requirements requires contractors to develop a system security plan (SSP) and associated plans of action. The SSP must clearly define how the company meets each one of the 110 NIST controls. If any controls are unmet when the SSP is created, the company must create a Plan of Action and Milestones (POA&M) for that control.

A POA&M outlines the steps the organization will take to meet the NIST 800-171 control, along with deadlines for those actions. POA&Ms can only be used for a limited number of NIST 800-171 controls and must be closed within 180 days. For these reasons it is important to treat POA&Ms as an action item and not a loophole out of compliance.

Today, complying with NIST 800-171 is the key to meeting the upcoming CMMC standard. Compliance with CMMC level 2 is based on meeting NIST 800-171, thus achieving NIST 800-171 compliance is the best way to ensure a company is ready to pass a CMMC audit. The new program will not change technical security requirements, but rather the rigor of enforcement.

By replacing self assessment with mandatory third party assessments, CMMC will drive even adoption of NIST 800-171 throughout the Defense Industrial Base (DIB). Failing a CMMC assessment will render a company ineligible for contracts with the DoD.

Who needs to comply with NIST 800-171

Any organization that handles CUI must achieve NIST 800-171 compliance. This includes Prime contractors working for the DoD and their subcontractors, as well as universities and research institutions receiving federal grants.

Get your copy of NIST SP 800-171 Self-Assessment: Raising Your SPRS Score


Defense organizations risk running afoul of their DoD obligations if they do not comply with the 110 controls of NIST 800-171. As CMMC 2.0 rolls out, enforcement of compliance will be stepped up through assessments from C3PAOs (CMMC Third Party Assessor Organizations) and the DIBCAC (Defense Industrial Base Cybersecurity Assessment Center).

Defense organizations that misrepresent their security status risk investigation by the Department of Justice (DoJ). The DoJ will potentially use the False Claims Act to levy punishments against organizations with these sorts of major discrepancies.

The 14 NIST 800-171 control families

The 110 controls of NIST 800-171 are divided into 14 families. Each family focuses on a different aspect of protecting CUI.

Defense organizations will need to develop a system security plan (SSP) describing how they meet each of the 110 controls across the 14 security domains. The SSP will also address known and anticipated threats.

14 NIST 800-171 Families

In their system security plan (SSP), defense organizations will describe how they meet each of the 110 controls across the 14 security domains and address known and anticipated threats.

Here is an overview of the 14 families.

    • Access Control: Ensuring only those personnel, accounts, and system processes that require access to CUI have such access.
    • Awareness and Training:Provide appropriate training and skills to those charged with the protection of CUI.
    • Audit and Accountability: The contractor must know what CUI information is maintained, where it is stored and processed, and by whom, when and where it is handled.
    • Configuration Management: Each component and process of an IT system has a configuration that dictates how it operates. By standardizing and managing configurations, systems and software should perform in definable and measurable ways.
    • Identification and Authentication: Employ measures that ensure authorized access is achieved only by those whose identities are confirmed and approved.
    • Incident Response: A defined response plan that indicates how the business will respond to a breach and ensure the business can resume operations.
    • Maintenance: The plan the team has created to keep IT systems up-to-date and ensure vulnerabilities are addressed, holes patched, and subsystems keep functioning.
    • Media Protection: Create policies for how physical media is handled, stored and transported.
    • Personnel Security: Plan to ensure employees, contractors and vendors are properly vetted, authorized and approved.
    • Physical Protection: Systems that contain CUI may be prone to theft or damage. Protections for portable workstations, laptops, mobile devices, servers and data storage areas to ensure the protection of CUI.
    • Risk Assessment Periodic evaluations of the risks posed to personnel, systems and information and review control measures for adequacy.
    • Security Assessment Periodically test and review security control measures, both logical and physical to verify they meet objectives; refine and update as needed.
    • System and Communications Protection Further measures to protect CUI data from unauthorized exposure; encryption is an important consideration.
    • System and Information Integrity Making sure systems and the data and information they process is trustworthy and has not been maliciously or accidentally altered.

Getting Started with NIST 800-171 compliance

Historically defense contractors have approached cyber security requirements as a checklist. NIST 800-171 and CMMC 2.0 turn that approach on its head. Modern cyber security in the DIB isn’t about checklists, it’s about developing a mindset that focuses on protecting data.

To prepare for a NIST 800-171 assessment, you should first determine where CUI lives in your environment. Ideally, you’ll want to condense that environment into a confined area known as an enclave. By creating an enclave, you will decrease the physical area that needs to be assessed and also decrease the complexity of the compliance exercise overall.

Second, you should deploy a solution to protect your CUI. The PreVeil platform, for example, is ideal for SMBs who need only protect CUI in a portion of their organization. PreVeil supports 102 out of 110 NIST 800-171 controls. It is easy to deploy and use. It is also very affordable and can be downloaded for free by your third parties.

Third, you should conduct a self-assessment of your organization against the 110 NIST 800-171 controls. You should detail how you are meeting each of the controls through a mix of technologies and policies and be able to provide an example of how each control is met. Alternatively, PreVeil can also provide a pre-populated SSP template that can be the basis for your own document and allow you to identify gaps and areas for improvement in your environment.

Lastly, you should hire a third-party MSP, MSSP or RP (Registered Practitioner) to help you meet the remaining controls which you are unable to meet on your own. PreVeil, for example, does not support 8 out of the 110 controls and so recommends that contractors hire a consultant to help create and manage a plan to close the delta.

Don’t procrastinate. Implementing a consultant’s compliance recommendations and documentation will likely take at least 6 months or more.

How to prepare for a NIST 800-171 assessment

If you’re a defense contractor it’s only a matter of time until you’ll need a NIST 800-171 assessment. Once CMMC goes into effect, every organization handling CUI will be assessed against NIST 800-171 by a Certified Third Party Assessment Organization (C3PAO). It can take a year or more to get assessment ready, so it’s in your best interest to begin now.

If you want to stand out from the other organizations bidding for contracts, you can choose to undergo a DIBCAC High assessment with a C3PAO and DIBCAC now. In this assessment you will be assessed on how well you meet NIST 800-171. Demonstrating compliance will provide you with a competitive advantage, whether you’re a prime contractor applying for contracts directly with the DoD or a subcontractor applying for work with a larger prime.

Here’s how to prepare for a successful NIST 800-171 assessment today.

      • First, the document you’ll be assessed against for NIST 800-171 is NIST 800-171A. This document breaks each of the 110 controls of NIST 800-171 into 320 security objectives. To satisfy a given control, you’ll need to meet each of the objectives making up that control.
      • Your SSP must include documentation that supports how you meet each of the 320 objectives that make up the 110 controls. It should break this down control by control. This documentation needs to be robust enough, and clear enough, to not only be easily accessible to your team, but also to external assessors reviewing your materials.
      • If you’re using a cloud service provider (CSP) to store and manage your CUI, you need to obtain a copy of their customer responsibility matrix (CRM). This should define which controls are met by the CSP and which are your responsibility. It should also demonstrate that the CSP is meeting DFARS 252.204-7012 c-g, which instructs defense contractors how to report cybercrimes such as identity fraud, theft of corporate data or ransomware attacks.
      • Compliance with NIST 800-171 requires a combination of technologies and policies. Ensure that your employees are complying with all necessary policies in advance of the assessor interview. Everyone should be familiar with the portions of your SSP that apply to their activities with CUI, and the scope of who is handling CUI and where should be limited as much as possible. The tighter you keep privileges, the less likely you are to have a breach.
      • Finally, FIPS 140-2 compliance has historically been an area of significant interest to assessors as well as one of the most challenging requirements to meet. FIPS 140-2 is a cryptographic-based security standard that must be met by a system protecting CUI. This regulation exists because all encryption is not created equal. FIPS 140-2 ensures that the cryptographic mechanisms of your encryption technologies are secure enough to satisfactorily defend data with possible national security implications.

Your NIST 800-171 compliance checklist

This checklist can help you prepare for NIST 800-171 compliance.

      1. Make sure you have complete stakeholder buy-in. Ensure that your entire company understands the importance of NIST 800-171 compliance and protecting CUI. Make sure you have executive buy in.
      2. Identify the scope of your environment. Find where CUI is located in your organization. The greater the scope, the more costly protection will be, both in terms of finances and time.
      3. Limit access to CUI. To improve efficiency, limit the scope of your environment as much as possible. Anyone who doesn’t need to touch CUI to do their duties should not have access. This goes both for employees and software.
      4. Adopt FIPS 140-2 validated technology to protect CUI. Ensure that the technology you’re using supports NIST 800-171 compliance.
      5. Create an SSP and supporting documentation. A robust SSP with all supporting documentation and procedures is a necessary minimum to achieve NIST 800-171 compliance.
      6. Conduct a self-assessment. Once you have an SSP you’ll be able to conduct a self-assessment against the 110 controls of NIST 800-171. On your first pass, focus on just getting a good outlook on your system as it is.v
      7. Identify gaps in technology and policy. Once you have a clear view of your current standing in relation to NIST 800-171 you can identify where you’ll need to do some work to get up to code.
      8. Create POA&Ms. Plans of Actions and Milestones (POA&Ms) are time-limited, step-by-step plans of how you’ll close existing gaps to achieve any unmet controls.
      9. Work on closing those POA&Ms. Once you’ve planned how to get your system up to regulation standards, execute those plans. POA&Ms are time-limited and will only be accepted by assessors on a selective basis, so you shouldn’t think of them as loopholes out of requirements. Instead, they are guides for you to follow in order to ready your organization for assessment.

PreVeil and NIST 800-171

PreVeil’s file sharing and email platform supports compliance with virtually all of the NIST 800-171 mandates related to the communication and storage of CUI.

PreVeil Drive allows users to encrypt, store, and share their files containing CUI. PreVeil Email allows users to send and receive emails securely using their existing email address. It adds an encrypted mailbox to Outlook and Gmail, which meets NIST 800-171 requirements for digital communications.

Together PreVeil Drive and Email allow users to share and store data and communications easily, while protecting those exchanges with military-grade encryption.

Conclusion

Compliance with NIST 800-171 now will smooth your company’s path to the new Level 2 when CMMC 2.0 becomes law. PreVeil can facilitate your compliance with NIST 800-171 now and CMMC 2.0 when it passes.

To learn more about how PreVeil’s Drive and Email platforms can help your organization improve its cybersecurity and move towards NIST 800-171 compliance, please contact us at preveil.com/contact or (617) 579-8305.