The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 deadline has come and gone, but can your organization guarantee compliance? If not, the consequences for non-compliance will alarm you.

The Defense Federal Acquisition Regulation Supplement (DFARS) made NIST 800-171 mandatory for defense contractors who have the DFARS 252.204-7012 clause in any contract. NIST 800-171 was designed specifically for the protection of Controlled Unclassified Information residing in non-federal information systems- those in use to support private enterprises.

The requirements are mapped out across fourteen security control families, many of which were adopted from NIST 800-53. Each category highlights how an assessor could examine, interview, or test each particular control at issue.


                  NIST 800-171 Security Control Families
AC Access Control MP Media Protection
AU Audit and Accountability PP Physical Protection
AT Awareness and Training PS Personnel Security
CM Configuration Management RA Risk Assessment
IA Identification & Authentication SA Security Assessment
IR Incident Response SC System & Communications Protection
MA Maintenance SI System & Information Integrity


The deadline to comply was December 31, 2017, but what if you’re not in compliance? To start, there’s currently no fine or penalty for noncompliance, nor is there any certification required to prove compliance. With that being said, there are consequences for non-compliance.

As with other provisions in a federal contract, if the contract contains an applicable regulation, the contractor has agreed that it is in compliance with all contract terms when signing the contract. If not compliant and without having submitted variance requests or plans of action to fix noncompliance, then a contractor could be in breach of contract, resulting in monetary damages or other possible adverse consequences.

Additionally, if the solicitation identified compliance with NIST 800-171 as an evaluation factor, then noncompliance, if discovered, could result in grounds for protest. Another possible consequence includes criminal fraud; if a company claims to be in compliance knowing they are not, that misrepresentation of facts is seen as a criminal act. The other possibility is contract termination due to failure to uphold contract agreements. This could cost organizations millions in lost revenue with the federal government.  

Late last month NIST released its updated final public draft, NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information. NIST also released two additional resources to help contractors in their compliance initiative; templates for contractor system security plans (SSPs) and plans for actions and milestones (POAMs). Under the basic security requirements of NIST 800-171, these documents are a requirement as part of a contractor’s system security assessment.


NNT’s Change Tracker™ product maps directly to 9 of the 14 security control families. To better understand what those controls are and where an organization might effectively start, see below for a detailed breakdown of how NNT solutions can help you address each requirement.




 Read the article on the National Law Review


The Most Powerful & Reliable Cybersecurity Products
Contact Us

USA Offices

New Net Technologies LLC
4850 Tamiami Trail, Suite 301
Naples, Florida, 34103

New Net Technologies LLC
1175 Peachtree St NE
Atlanta, Georgia, 30361.

Tel: (844) 898-8358
[email protected]


UK Office

New Net Technologies Ltd
The Russell Building, West Common
Harpenden, Hertfordshire

Tel: 020 3917 4995
 [email protected]

SC Magazine Cybersecurity 500 CSGEA Winners 2021 CIS benchmarking SEWP Sans Institute Now Certified IBM Security
Copyright 2021, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.