Is NIST 800-171 Compliance Really That Hard to Attain?

In 2016, The National Institute of Standards and Technology (NIST) developed Special Publication 800-171 for the purpose of keeping Controlled Unclassified Information (CUI) safe.

The goal was to provide a cybersecurity framework for information that’s not strictly regulated by the Federal Government, but is still sensitive and relevant to the interests of the United States. Although many believe NIST 800-171 is overwhelming and over-complicated, it’s not actually that difficult to attain. Let’s take a more in-depth look…

What Do DoD Contractors Need to Know About NIST 800-171?

DoD contractors need to comply with NIST 800-171 so they can continue to provide services to the Department of Defense. Typically, the requirements of NIST 800-171 require an experienced IT department or outside technology services provider, but we’re going to break it down to help company executives understand and implement as needed.

Pic Nist

The Department of Defense estimates that the total value of data lost to our adversaries is $60 billion per year. That is A LOT of money lost due to lax cybersecurity measures.

In short, DoD Contractors need to understand the requirements, as well as what constitutes CUI. Ultimately, CUI refers to any potentially sensitive, unclassified data. This CUI must be safeguarded in a manner that is consistent with applicable regulations, laws, and government-wide policies. Sounds complicated, right? Let’s simplify it a bit… Anyone who processes, stores or transmits CUI for the DUD, NASA, GSA and any other state or federal agencies must take cybersecurity seriously.

It’s as simple as that… If you take cybersecurity seriously, you’re able to comply with NIST 800-171 quite easily. NIST 800-171 covers 14 families of security controls, and within those families, there are over 100 controls total. Fortunately, many of these controls are typical best practices that most forward-thinking organizations already have in place. The 14 families include:

  • Access Control
  • Training
  • Audit
  • Configuration Management
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media
  • Personnel
  • Physical Protection
  • Risks
  • Risk Assessment
  • System Communication Protection
  • System and Information Security

When we mention typical best practices, we’re referring to very simple, easy things like the following:

Bullet Check

Using complex, hard-to-guess passwords made of a combination of letters, numbers, and characters.

Bullet Check

Running anti-virus software that’s updated on a regular basis to keep up with evolving threats.

Bullet Check

Having an enterprise-grade firewall in place to protect against any sort of unauthorized access.

Bullet Check

Restricting access to data on an “as needed” basis to ensure only those who require access have it.

Many of the controls will be covered if you’re already taking precautions. But it’s important to have an experienced third-party come in and evaluate your environment, especially if you’re not confident in the safeguards you have in place.

Need an experienced IT company that knows NIST 800-171? Contact Hampton Roads Communication Technologies at
(757) 255-8952. We work with DoD contractors throughout the United States, Mid-Atlantic Region, Hampton Roads Virginia, north into Williamsburg and south into the Outer Banks of North Carolina.

What else do you need to know about NIST 800-171? In September 2019, version 0.4 of the CMMC was released for comment. This is designed to clearly inform DoD contractors of the level of security required for particular engagements. Check out our full article on CMMC here.