​NIST 800-171 for Federal Contractors (FAR)

Posted by

NIST 800-171 isn’t just for Department of Defense (DoD) contractors. Representatives from the National Institute of Standards and Technology (NIST) and DoD officials have recently been putting this information out in webinars and other training seminars on NIST 800-171. 

In summary, all US government contractors will have to comply with the NIST 800-171 requirements. This is a significant shift from the high-level 15 cybersecurity controls that are currently required by non-DoD contractors with FAR. 

The National Archives & Records Administration (NARA) is the driving factor in this and NIST 800-171 already contains the plan for all "non-federal organizations" to have to comply with NIST 800-171, with guidance supposed to be coming from NARA sometime in 2017.

This coming requirement is even specified on page v of NIST 800-171:

Executive Order 13556, Controlled Unclassified Information, November 4, 2010, establishes that the Controlled Unclassified Information (CUI) Executive Agent designated as the National Archives and Records Administration (NARA), shall develop and issue such directives as are necessary to implement the CUI Program. Consistent with this tasking and with the CUI Program’s mission to establish uniform policies and practices across the federal government, NARA is issuing a final federal regulation in 2016 to establish the required controls and markings for CUI government-wide. This federal regulation, once enacted, will bind agencies throughout the executive branch to uniformly apply the standard safeguards, markings, dissemination, and decontrol requirements established by the CUI Program.

With regard to federal information systems, requirements in the federal regulation for protecting CUI at the moderate confidentiality impact level will be based on applicable policies established by OMB and applicable government wide standards and guidelines issued by NIST. The regulation will not create these policies, standards, and guidelines which are already established by OMB and NIST. The regulation will, however, require adherence to the policies and use of the standards and guidelines in a consistent manner throughout the executive branch, thereby reducing current complexity for federal agencies and their nonfederal partners, including contractors.

In addition to defining safeguarding requirements for CUI within the federal government, NARA has taken steps to alleviate the potential impact of such requirements on nonfederal organizations by jointly developing with NIST, Special Publication 800-171 — and defining security requirements for protecting CUI in nonfederal systems and organizations. This approach will help nonfederal entities, including contractors, to comply with the security requirements using the systems and practices they already have in place, rather than trying to use government-specific approaches. It will also provide a standardized and uniform set of requirements for all CUI security needs, tailored to nonfederal systems, allowing nonfederal organizations to be in compliance with statutory and regulatory requirements, and to consistently implement safeguards for the protection of CUI.

Finally, NARA, in its capacity as the CUI Executive Agent, also plans to sponsor in 2017, a single Federal Acquisition Regulation (FAR) clause that will apply the requirements contained in the federal CUI regulation and Special Publication 800-171 to contractors. This will further promote standardization to benefit a substantial number of nonfederal organizations that are attempting to meet the current range and type of contract clauses, where differing requirements and conflicting guidance from federal agencies for the same information gives rise to confusion and inefficiencies. The CUI FAR clause will also address verification and compliance requirements for the security requirements in NIST Special Publication 800-171. Until the formal process of establishing such a FAR clause takes place, the requirements in NIST Special Publication 800-171 may be referenced in federal contracts consistent with federal law and regulatory requirements. If necessary, Special Publication 800-171 will be updated to remain consistent with the federal CUI regulation and the FAR clause.

Multi-Factor Authentication (MFA) for NIST 800-171 Compliance - Requirement #3.5.3

One of the most common technical questions we receive is about implementing Multi-Factor Authentication (MFA) as part of NIST 800-171 compliance (requirement #3.5.3 - Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts).When you cut through the hype for MFA products, there are generally two ways to incorporate [...]

Read More »

Cybersecurity & Privacy Compliance - Statutory vs Regulatory vs Contractual Obligations

Compliance terms are pretty badly abused, even by professionals within the cybersecurity and privacy industries. This is our attempt to help get everyone on the same sheet of music, since words do have meanings and it is important to understand cybersecurity and privacy requirements.STATUTORY CYBERSECURITY & PRIVACY REQUIREMENTS Statutory obligations are required by law and refer [...]

Read More »

Searching For A Magic Pill?

A little commentary on cybersecurity compliance from a cybersecurity professional During a recent commercial break on the news, there were several advertisements for new pharmaceuticals that addressed everything from lowering blood pressure to diabetes. The one thing that each commercial had in common was that each drug still required healthy eating and exercise to be effective. [...]

Read More »

Tick, Tock on NIST 800-171 Compliance

If you have contracts with the US Department of Defense (DoD) or are a subcontractor to a prime contractor with DoD contracts, your organization has until December 31, 2017 to implement NIST SP 800-171 . This is a requirement that is stipulated in the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. In the context of this article, DFARS focuses on two things: Safeguarding Covered [...]

Read More »

The new baseline for private industry - NIST 800-171 Appendix E - Non-Federal Organization (NFO) Controls

Non-Federal Organization (NFO) controls are "expected to be routinely satisfied by non-federal organizations without specification." This is an often-overlooked reference from Appendix E of NIST 800-171.In this context, the term "without specification" means that the National Institute of Standards and Technology (NIST) feels the requirements do not need a detailed description of the requirements, due to the requirement being basic. [...]

Read More »

NIST 800-171 Compliance Video

We put a video together for businesses that need to comply with NIST 800-171, but do not know where to start. It covers how to define Controlled Unclassified Information (CUI), as well as Appendix D and Appendix E from NIST 800-171.ComplianceForge YouTube Channel: NIST 800-171 Compliance Video - 

Read More »

DFARS 252.204-7012 / NIST 800-171 Requirements - Non-Federal Organizations (NFO)

Have You Looked At Appendix E of NIST 800-171?While it is not called out with the main NIST 800-171 requirements in chapter 3, Appendix E contains numerous NIST 800-53 controls that are marked as Non-Federal Organizations (NFO). Essentially, these NFO requirements are "expected to be routinely satisfied" by government contractors without NIST 800-171 having to [...]

Read More »

​Scoping NIST 800-171 - Use PCI DSS As A Guide

Managing NIST 800-171 Scoping If you are new to NIST 800-171, it is intended to help "non-federal entities" (e.g., contractors) to comply with new security requirements using the systems and practices that contractors already have in place, rather than trying to use government-specific approaches. It also provides a standardized and uniform set of requirements for all [...]

Read More »

Announcing The NIST 800-171 Compliance Criteria (NCC)

We listened to our customer needs for guidance on becoming compliant with NIST 800-171, so we created the NIST 800-171 Compliance Criteria (NCC) product. This took considerable time to develop and contains expectations and recommendations that a for-hire consultant would offer you. If you are just starting out on the path to become compliant with NIST 800-171, this [...]

Read More »

Sign up for our Newsletter!