Are You Ready for the NIST 800-171 Compliance Marathon?


By Rich Selvidge, CISSP, Solutions Architect at Redhawk Network Security

What does it take to train for a marathon? Like anything else—with your goal and finish line looming ahead—it takes planning, effort, focus, pacing, and sweat.

What Is the Goal? Get Your Security Foundation in Place

Getting your company in compliance shape for NIST 800-171, with the looming December 31, 2017 deadline enforced by the U.S. Department of Defense (DoD), is much like training for a marathon. If your company or organization contracts for the government, you must implement all of the security requirements and controls outlined in the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171—Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations—by mile marker 12-31-17. If you don’t, you risk losing your contracts, costing your organization millions of dollars in lost revenue:

“…the covered contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. . .” The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017…”

-Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012

Controlled Unclassified Information is defined as “information that requires safeguarding or dissemination controls pursuant to and consistent with pursuant to and consistent with law, regulations, and government-wide policies,” as defined by Executive Order 13556. CUI is sensitive information, but isn’t actually classified information. For example, flight schedules and itineraries for a military unit, or information maintained by a company regarding the federal government’s uses of advanced drone technology. It’s a blanket term meant to unify the many names that the different federal agencies have for information that meets the above description (e.g. The Department of Defense calls it “FOUO” (For Official Use Only), Department of State calls it ‘SBU’ (Sensitive but Unclassified), Department of Justice calls it ‘LES’ (Law Enforcement Sensitive), etc.).

NIST SP 800-171 provides security controls for federal agencies to develop business relationship requirements for non-federal organizations that handle CUI.  The required SP 800-171 controls include:

  1. Access Control
  2. Awareness and Training
  3. Auditing and Accountability
  4. Configuration Management
  5. Identification and Authentication
  6. Incident Response
  7. Maintenance
  8. Media Protection
  9. Personnel Securit
  10. Physical Protection
  11. Risk Assessment
  12. Security Assessment
  13. System and Communication Protection
  14. System and Information Integrity

According to Runner’s World, marathoners should run consistent weekly mileage for at least a year before beginning the 15- to 20-week training plan. You have a lot less time than that to achieve full compliance with NIST 180-171—it typically takes six to nine months. If you haven’t begun your assessments, evaluations, testing, and implementation, however, there is still time to make good headway.

December 31, 2017 Is A Checkpoint; Don’t Forget NFO Controls

Achieving compliance with NIST 800-171 by December 31, 2017, is not the finish line. It’s more of a checkpoint for establishing security building blocks for the long run: building a strong security network. Your efforts and sweat are ensuring that your policies, procedures, and security plans—the fundamental building blocks for a mature security program—are in place, better positioning you for the threats of 2018 and beyond.

To help you build your strong security network, make sure you also have your Non-Federal Organization (NFO) controls in place. Back in August 2015, NIST 800-171 listed 62 NFO controls as “expected.” NFO items cover every NIST category from Access Controls to Systems and Information Integrity, as well as a new category, Planning. While you should already have these controls in place, they are not part of the “mandatory minimum” baseline of risk mitigation effort. However, the government expects them to be satisfied as part of your existing security policy. There is no option to accept a certain level of risk in lieu of the minimum security controls.

Going the Extra Mile: Security Due Diligence Will Pay Off 

Contractors have to go the extra mile and implement NFO controls in addition to the new NIST 800-171 controls. These NFO controls are expected to be routinely satisfied by nonfederal organizations. The NFO controls affect all 16 of the following categories:

  1. Planning
  2. Acquisition
  3. Configuration Management
  4. Identification and Authentication
  5. Incident Response
  6. Acquisition (SA-8)
  7. Maintenance
  8. Physical Security
  9. Risk Assessment
  10. Security Assessment (CA-2)
  11. Awareness and Training
  12. Contingency Planning
  13. Security Assessment
  14. Physical and Environmental Protection
  15. System and Communication Protection
  16. System and Information Integrity

At this point you may be asking, “OK, but my company deals with federal contracts, not DoD, so does this apply to me?” Great question. Even though DFARS 52.204-21 does not include the NFO requirements, these are “things you should be doing anyway.”

Getting in compliance shape by the end of the year is no easy feat. Neither is building a managed network. December 31, 2017 is a mile marker that will be here sooner than you think. The time to start training is now. 

[clickToTweet tweet=”Are You Ready for the NIST 800-171 Compliance Marathon?” quote=”Are You Ready for the NIST 800-171 Compliance Marathon?” theme=”style3″]

About the Author: As Solutions Architect at Redhawk Network Security, Rich Selvidge is a catalyst to developing solutions in collaboration with clients. Rich has a background in Cybersecurity, Information Security, and Risk Management for various Department of Defense and federal government agencies that provide the required experience needed to develop customized solutions tailored to client needs. Rich is CISSP certified, and holds a Bachelor of Science in Information Technology and a Masters in Information Technology as well as several other certifications focused on IT and IS. Rich has experience with various compliance requirements such as DoD, NIST, FISMA, PCI, HIPAA, and SOC/Cert.


    • I don’t see it replacing NISPOM but I think any organization that falls under DFARS could adopt some of the general safeguarding requirements in Chapter 5. Particularly Safeguarding Oral Discussions, End of Day Security Checks, and the disclosure section as well.
      Where I do see it making an impact is with the Department of Education.
      In light of the Gen-15-18 and Gen-16-12 Dear Colleague letters regarding protecting student information and to comply with the requirements of those letters, I believe most if not all higher education organizations will have to adopt the NIST 800-171 standards.
      The Gen-15-18 and Gen-16-12 Dear Colleague letters apply to all student information and require institutions that obtain Federal Student Aid (FSA) must certify as being compliant with the Gramm-Leach-Bliley Act (GLBA). The further recommendation found within the letters is to apply NIST 800-171 standards, the application of which would guarantee compliance with the GLBA, and thus the Federal Student Aid requirements.

Comments are closed.