What is NIST 800-171?
The Defense Federal Acquisition Regulation Supplement (DFARS) 252.204.7012 establishes NIST 800-171 as the minimum security standard a contractor should have to adequately protect Controlled Unclassified Information (CUI). This publication was issued by the National Institute of Standards and Technology (NIST). NIST 800-171 provides guidance for the protection of CUI when processed, stored and used in non-federal information systems.
Is my company affected by NIST 800-171 Guidelines?
Businesses that have contractual relationships with the federal government are now required to comply with NIST 800-171. Subcontractors that don’t work directly with federal government agencies must comply because they do so indirectly. NIST SP 800-171 requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. NIST 800-171 impacts a range of service providers, including state and local governments, nonprofits, materials vendors, and systems integrators.
What's at stake with NIST 800-171?
Three consequences of non-compliance are certain:
- The federal government will terminate contracts over NIST 800-171 non-compliance since it constitutes a failure to uphold contract requirements.
- A company stating that it is compliant when it is not would be engaging in criminal fraud.
- Failing to comply can also constitute breach of contract, for not maintaining a specific code of conduct.
What are the 800-171 requirements?
There are 14 categories of security requirements that must be met. Each category has a unique set of policy tests that affected programs must meet.
- Access Control
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Physical Protection
- Personnel Security
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
How to Comply with the NIST 800-171
The easiest route to determining your compliance status is an assessment by an outside third party. If you are unsure how NIST 800-171 affects your business or don't know where to start with NIST 800-171 compliance, it is strongly advisable to seek advice from compliance experts.
Beringer Technology Group is always here to provide expert knowledge on topics like these. Contact us today for any questions you may have.
Beringer Technology Group, a leading Microsoft Gold Certified Partner specializing in Microsoft Dynamics 365 and CRM for Distribution. We also provide expert Managed IT Services, Backup and Disaster Recovery, Cloud Based Computing and Unified Communication Solutions.