What, exactly is NIST SP 800-171?


NIST released 800-171 Rev 2 (Draft) in June 2019 that includes editorial changes and no changes to the basic & derived security requirements of the 110 Controls. The revised version (revision 2) of this guidance can be downloaded from: HERE

Also, NIST has released 800-171B (Draft) in June 2019 as well.  The current 800-171 was not designed to address Advanced Persistent Threat (APT). This is a supplement to 800-171 that adds an additional 33 Controls when Controlled Unclassified Information is part of a critical program that includes High Value Asset (HVA) & Advanced Persistent Threat (APT).  The supplement version (800-171B) of this guidance can be downloaded from: HERE

What is Controlled Unclassified Information (CUI)?


Per the National Archives CUI Program Blog

The CUI Program is a Government-wide program that standardizes the way the executive
branch manages unclassified information that requires safeguarding or dissemination controls
required by law, Federal regulation, and Government-wide policy. This Program replaces
existing agency programs like For Official Use Only (FOUO), Sensitive But Unclassified (SBU),
Official Use Only (OUO), and others. The CUI Program addresses the current inefficient and
confusing patchwork of over 100 agency-specific policies throughout the executive branch that
leads to inconsistent marking and safeguarding as well as restrictive dissemination policies.“
All categories of information that currently qualify as CUI can be located here at the National
Archives CUI Registry. Frequently encountered categories of CUI include Privacy – Personnel
(e.g. Personally Identifiable Information (PII)) and Controlled Technical Information (CTI) (e.g.
source code, engineering data, specifications).

Who is required to comply with NIST SP 800-171?


Any organization that handles CUI data and does business with the Department of Defense (Do) (either as a prime or subcontractor) are required to comply with Defense Federal Acquisition Regulations Supplement (DFARS) clause 252.204.7012 (Safeguarding Unclassified Controlled Technical Information) as of December 2017.  Compliance with NIST SP 800-171 satisfies the DFARS clause requirement.

How do I comply with NIST SP 800-171?


Full compliance with NIST SP 800-171 requires creation and maintenance of the following
documentation (also known as artifacts): System Security Plan (SSP), and Plan of Action and
Milestones (POA&M).

The SSP illustrates your CUI system environment (to include system description, system
environment diagram, and full hardware/software inventory) and details how thoroughly your
organization currently implements each of the 110 required security controls contained within
Chapter Three of NIST SP 800-171.

The POA&M contains a list of all security controls that are not fully implemented within your
CUI system environment and includes both associated fix actions and estimated completion

Following initial creation, the SSP must be reviewed and updated at least annually to maintain
compliance. Further, the POA&M should be updated both quarterly to record progress made
towards control implementation and annually when updating the SSP.


What differentiates your NIST SP 800-171 compliance service from other vendors?


Our NIST SP 800-171 compliance service is staffed by practicing subject matter experts who
currently conduct system audits (Security Controls Assessment), develop SSPs, POA&Ms and
implement system security controls (Information System Security Engineering) for multiple DoD
and Federal Civilian Agencies. Our extensive experience helps us fully understand what is
required to both achieve and maintain compliance for your organization.