What is NIST 800-171?

The U.S. Government considers the protection of Controlled Unclassified Information (CUI) in nonfederal systems and organizations is of great importance to the federal agencies. Loss or breach of CUI can directly impact the ability of the agencies to perform its missions and operations.

NIST 800-171 refers to National Institute of Standards and Technology (NIST) Special Publication 800-171, which governs Controlled Unclassified Information (CUI) that is processed, stored, and transmitted in Non-Federal Information Systems and Organizations. It is a standard that defines the security requirements and methods of safeguarding and distributing the material deemed sensitive but not classified by the federal government agencies when:

  • CUI is resident in nonfederal systems and organizations,
  • No specific safeguarding requirements exist for protecting the confidentiality of CUI by another law or regulation, and
  • The nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency

The security requirements identified in NIST 800-171 standard are intended for use by federal agencies in contracts and other agreements established between those agencies and nonfederal organizations, such as their subcontractors and partners.

Who is Required to Comply?

DFARS (Defense Federal Acquisition Regulation Supplement) clause 252.204-7012 requires companies and organizations to comply with the NIST 800-171 cyber security standard when they process, store, or transmit CUI. This requirement typically would be found in the Department of Defense contracts. The organizations and companies that are not compliant with this standard would risk losing their DoD contracts.

Simply put, if your company/organization wants to work with the DoD you will have to be NIST 800-171 compliant in case you will find yourself in a situation of receiving or processing CUI.

DFARS also requires contractors and subcontractors to immediately report cyber breaches and incidents (in 72 hours of discovery) to DoD. In case your company is a lower-tier subcontractor your company would also be required to provide the incident report to the higher-tier subcontractor, until the prime contractor is reached.

In summary, every contracting organization must take immediate action to fulfill the requirements if they are not already compliant. The preparation process typically includes in-depth assessment of the current cyber-security posture of the organization and identify the requirements. Thereafter, organization should implement actions that include securing the system access, increasing employee awareness, properly configuring the system security settings, installing/deploying necessary risk analysis and monitoring software, etc.

Failure to comply can result in the termination of active contracts with DoD, fines or penalties resulting from the breach of contract, and rejection from the new contracts.

What are the Components of NIST 800-171?

The standard has 14 key areas and requirement families.  Companies must implement approximately 110 requirements that are outlined in these areas:

  1. Access Control
  2. Awareness and Training
  3. Audit and Accountability
  4. Configuration Management
  5. Identification and Authentication
  6. Incident Response
  7. Maintenance
  8. Media Protection
  9. Physical Protection
  10. Personnel Security
  11. Risk Assessment
  12. Security Assessment
  13. System and Communications Protection
  14. System and Information Integrity


How Can We Help You?

Linqs cybersecurity consultants have extensive experience and advanced degrees in information security and industrial applications. We are mastered in the analysis of requirements applicable to your business model. Our special focus is high-technology industry sectors, such as aerospace, additive manufacturing, semiconductors, electronics, computer, information security, software, space & satellite, telecommunications, material science, and energy. We will conduct the gap analysis on your processes and systems, and help you developing the necessary documentation for the NIST 800-171 compliance. Our 3 phased project works as follows:

Phase 1- Training, Assessment, and Gap Analysis

  • Provide training on NIST 800-171 and requirements.
  • Review of the organization system(s) and determine where CUI and CDI are located.
  • Review of NIST 800-171 Control Requirements based on the organization systems.
  • Identify the gaps where remediation is needed.

      Duration: 1 week

Phase 2- Compliance Program Management and Procedure Development

  • Prioritize the gaps which can be closed in a short time frame.
  • Develop the System Security Plan (SSP).
  • Develop the Incident Response Plan (IRP).
  • Develop the NIST800-171 Compliance Letter for Customers.
  • Develop Plan of Actions & Milestones (PoAM).
  • Advise on the software and system purchases and implementation.


  • Organization System Security Plan
  • Incident Response Plan
  • Compliance Letter for Customers
  • Plan of Actions & Milestones

     Duration: 3-4 weeks

 Phase 3- Continuous Compliance Monitoring (Optional)

  • Assess and identify the new gaps as a result of changes in environment.
  • Update the System Security Plan (SSP).
  • Update the Incident Response Plan (IRP).
  • Recommend updates on existing policies and procedures compliant with NIST 800-171.
  • Update the PoAM with remediation actions.
  • Advise on the software and system purchases and implementation.

     Duration: 1-2 weeks

Where Else Can We Assist You?

Linqs experts can also assist your organization with development of Information Security procedures as needed.

We are also nationally known experts in export control regulations. If your organization is involved in design, manufacture, or export of defense articles we can assist you to setup ITAR Compliance program as well as EAR Defense compliance programs.