Do you currently have contracts with the United States Department of Defense (DoD), or are you a subcontractor to a prime contractor with DoD contracts? If so, your organization must comply with the National Institute of Standards and Technology’s latest framework, NIST 800-171.

NIST 800-171 is designed to provide guidance to non-federal entities- contractors, state governments, federal grant recipients, etc.- to ensure all systems that process, store, or transmit Controlled Unclassified Information (CUI) are secured and hardened when:

  • When the CUI resides in nonfederal information systems and organizations.
  • When the information systems where the CUI resides is not operated by organizations on behalf of the federal government.
  • Where the CUI does not have specific safeguarding requirements prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry.

Effective December 31, 2017, government contractors handling sensitive federal information must comply with the NIST 800-171 requirements found in the Defense Federal Acquisition Regulation Supplement. DFARS is a supplement to the Federal Acquisition Regulations (FAR) that provides Department of Defense specific acquisition regulations that DoD government acquisition officials, and those contractors doing business with DoD, must follow in the procurement process for goods and services.

The CUI requirements recommended in 800-171 are derived from Federal Information Processing Standards (FIPS) Publication 200 and the moderate security control baseline in NIST 800-53 and based on the proposed CUI regulation (32 CFR Part 2002, Controlled Unclassified Information).

FIPS are publicly announced standards developed by the US Federal government to use in computer systems by nonmilitary government agencies and government contractors. It is an integral part of the risk management framework that NIST has developed to assist federal agencies in providing levels of information security based on levels of risk.

While the deadline to comply has since passed, it’s estimated less than one percent met that deadline. There is currently no certification for NIST 800-171 and instead is based on the honor systems where you self-attest that your organization complies with all requirements of the regulation. This regulation is not to be taken lightly; there’s a lot at stake here. The impact of non-compliance could potentially result in contract termination, criminal fraud, and possibly lawsuits claiming breach of contract.

NIST 800-171 is very descriptive in what needs to be accomplished to meet security compliance around CUI, but it does not advise or prioritize on where to start. 800-171 is very detailed and requires the understanding of 110 controls across 14 categories which helps define exactly what needs to be accomplished. However, it lacks any prescriptive detail of “how” to accomplish compliance success and what should be the priority of those requirements.

Let NNT show you how a single solution addresses one-third of all the security and compliance requirements across the various 14 categories.


                           NIST 800-171 Security Control Families
AC Access Control MP Media Protection
AU Audit and Accountability PP Physical Protection
AT Awareness and Training PS Personnel Security
CM Configuration Management RA Risk Assessment
IA Identification & Authentication SA Security Assessment
IR Incident Response SC System & Communications Protection
MA Maintenance SI System & Information Integrity


Speak to a consultant to help you in your NIST 800-171 compliance program today!



The Most Powerful & Reliable Cybersecurity Products
Contact Us

USA Offices

New Net Technologies LLC
4850 Tamiami Trail, Suite 301
Naples, Florida, 34103

New Net Technologies LLC
1175 Peachtree St NE
Atlanta, Georgia, 30361.

Tel: (844) 898-8358
[email protected]


UK Office

New Net Technologies Ltd
The Russell Building, West Common
Harpenden, Hertfordshire

Tel: 020 3917 4995
 [email protected]

SC Magazine Cybersecurity 500 CSGEA Winners 2021 CIS benchmarking SEWP Sans Institute Now Certified IBM Security
Copyright 2021, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.