What, exactly is NIST SP 800-171?
Special Publication (SP) 800-171 contains security guidelines developed by the National Institute of
Standards and Technology (NIST) that specifies how you should configure your information
systems to protect Controlled Unclassified Information (CUI). The current version (revision 1) of
this guidance can be downloaded from: HERE
What is Controlled Unclassified Information (CUI)?
The CUI Program is a Government-wide program that standardizes the way the executive
branch manages unclassified information that requires safeguarding or dissemination controls
required by law, Federal regulation, and Government-wide policy. This Program replaces
existing agency programs like For Official Use Only (FOUO), Sensitive But Unclassified (SBU),
Official Use Only (OUO), and others. The CUI Program addresses the current inefficient and
confusing patchwork of over 100 agency-specific policies throughout the executive branch that
leads to inconsistent marking and safeguarding as well as restrictive dissemination policies.“
All categories of information that currently qualify as CUI can be located here at the National
Archives CUI Registry. Frequently encountered categories of CUI include Privacy – Personnel
(e.g. Personally Identifiable Information (PII)) and Controlled Technical Information (CTI) (e.g.
source code, engineering data, specifications).
Who is required to comply with NIST SP 800-171?
Any organization that handles CUI data and does business with the Department of Defense
(DoD) (either as a prime or subcontractor) are required to comply with Defense Federal
Acquisition Regulation Supplement (DFARS) clause 252.204.7012 (Safeguarding Unclassified
Controlled Technical Information) by 31 December 2017. Compliance with NIST SP 800-171
satisfies the DFARS clause requirement.
If you have any doubts about your need to comply, either confirm with your assigned Contracting
Officer (CO) and/or review your contract’s Terms and Conditions for DFARS clause 252.204.7012 requirements.
How do I comply with NIST SP 800-171?
Full compliance with NIST SP 800-171 requires creation and maintenance of the following
documentation (also known as artifacts): System Security Plan (SSP), and Plan of Action and
The SSP illustrates your CUI system environment (to include system description, system
environment diagram, and full hardware/software inventory) and details how thoroughly your
organization currently implements each of the 110 required security controls contained within
Chapter Three of NIST SP 800-171.
The POA&M contains a list of all security controls that are not fully implemented within your
CUI system environment and includes both associated fix actions and estimated completion
Following initial creation, the SSP must be reviewed and updated at least annually to maintain
compliance. Further, the POA&M should be updated both quarterly to record progress made
towards control implementation and annually when updating the SSP.
What differentiates your NIST SP 800-171 compliance service from other vendors?
Our NIST SP 800-171 compliance service is staffed by practicing subject matter experts who
currently conduct system audits (Security Controls Assessment), develop SSPs, POA&Ms and
implement system security controls (Information System Security Engineering) for multiple DoD
and Federal Civilian Agencies. Our extensive experience helps us fully understand what is
required to both achieve and maintain compliance for your organization.