Do you currently have contracts with the United States Department of Defense (DoD), or are you a subcontractor to a prime contractor with DoD contracts? If so, your organization must comply with the National Institute of Standards and Technology’s latest framework, NIST 800-171.

NIST 800-171 is designed to provide guidance to non-federal entities- contractors, state governments, federal grant recipients, etc.- to ensure all systems that process, store, or transmit Controlled Unclassified Information (CUI) are secured and hardened when:

  • When the CUI resides in nonfederal information systems and organizations.
  • When the information systems where the CUI resides is not operated by organizations on behalf of the federal government.
  • Where the CUI does not have specific safeguarding requirements prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry.

Effective December 31, 2017, government contractors handling sensitive federal information must comply with the NIST 800-171 requirements found in the Defense Federal Acquisition Regulation Supplement. DFARS is a supplement to the Federal Acquisition Regulations (FAR) that provides Department of Defense specific acquisition regulations that DoD government acquisition officials, and those contractors doing business with DoD, must follow in the procurement process for goods and services.

The CUI requirements recommended in 800-171 are derived from Federal Information Processing Standards (FIPS) Publication 200 and the moderate security control baseline in NIST 800-53 and based on the proposed CUI regulation (32 CFR Part 2002, Controlled Unclassified Information).

FIPS are publicly announced standards developed by the US Federal government to use in computer systems by nonmilitary government agencies and government contractors. It is an integral part of the risk management framework that NIST has developed to assist federal agencies in providing levels of information security based on levels of risk.

While the deadline to comply has since passed, it’s estimated less than one percent met that deadline. There is currently no certification for NIST 800-171 and instead is based on the honor systems where you self-attest that your organization complies with all requirements of the regulation. This regulation is not to be taken lightly; there’s a lot at stake here. The impact of non-compliance could potentially result in contract termination, criminal fraud, and possibly lawsuits claiming breach of contract.

NIST 800-171 is very descriptive in what needs to be accomplished to meet security compliance around CUI, but it does not advise or prioritize on where to start. 800-171 is very detailed and requires the understanding of 110 controls across 14 categories which helps define exactly what needs to be accomplished. However, it lacks any prescriptive detail of “how” to accomplish compliance success and what should be the priority of those requirements.

Let NNT show you how a single solution addresses one-third of all the security and compliance requirements across the various 14 categories.


                           NIST 800-171 Security Control Families
AC Access Control MP Media Protection
AU Audit and Accountability PP Physical Protection
AT Awareness and Training PS Personnel Security
CM Configuration Management RA Risk Assessment
IA Identification & Authentication SA Security Assessment
IR Incident Response SC System & Communications Protection
MA Maintenance SI System & Information Integrity


Speak to a consultant to help you in your NIST 800-171 compliance program today!



The Most Powerful & Reliable Cybersecurity Products

change tracker gen7r2 logo

Change Tracker Gen 7R2: Complete configuration and system integrity assurance combined with the most comprehensive and intelligent change control solution available.

FAST Cloud logo

Fast Cloud: Leverage the world’s largest whitelist repository to automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology)

vulnerability tracker logo

Vulnerability Tracker: The world’s only limitless and unrestricted vulnerability scanning solution with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

log tracker logo

Log Tracker: Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds

Contact Us

Corporate Headquarters

6160 Warren Parkway, Suite 100
Frisco, Texas, 75034

Phone 1: 1-949-407-5125

Phone 2: 888-638-9749 (toll-free)

[email protected]

United Kingdom

5 New Street Square
London EC4A 3TW

Phone: +44 (0) 203 588 3023

 [email protected]
SC Magazine Cybersecurity 500 CSGEA Winners 2021 CIS benchmarking SEWP Now Certified IBM Security
Copyright 2024, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.