DFARS 252.204-7012 - NIST 800-171 Compliance
If you are new to NIST 800-171, it is intended to help "non-federal entities" (e.g., contractors) to comply with new security requirements using the systems and practices that contractors already have in place, rather than trying to use government-specific approaches. It also provides a standardized and uniform set of requirements for all Controlled Unclassified Information (CUI) security needs, tailored to non-federal systems, allowing non-federal entities to comply and consistently implement safeguards for the protection of CUI. When it comes down to it, NIST 800-171 rev 1 is designed to address common deficiencies in managing and protecting unclassified information to include inconsistent markings and inadequate safeguarding.
Affordable, Editable NIST 800-171 Compliance Documentation (DFARS 252.204-7012)
ComplianceForge is a niche cybersecurity company that specializes in compliance-related documentation. We are a leading provider for NIST 800-171 compliance documentation, where we serve clients from small businesses through the Fortune 500 with our NIST 800-171 compliance products.
What Problem Does ComplianceForge Solve?
- Lack of In House Security Experience - Writing security documentation is a skill that many good cybersecurity professionals simple are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive NIST 800-171 compliance documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. ComplianceForge offers NIST 800-171 documentation solutions that can save your organization significant time and money!
- Compliance Requirements - The reality of non-compliance with NIST 800-171 requirements means lost business and potential fines. In addition to losing contracts, charges of fraud may be leveled on companies that claim to be compliant with NIST 800-171 but cannot provide evidence. Our documentation can help you become and stay compliant with NIST 800-171 where you have documented evidence to prove it!
- Audit Failures - Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. Our documentation provides mapping to NIST 800-53 and other leading security frameworks to show you exactly what is required to both stay secure and compliant. Being editable documentation, you are able to easily maintain it as your needs or technologies change.
How Does ComplianceForge Solve It?
- Clear Documentation - In an audit, clear and concise documentation is half the battle. ComplianceForge provides comprehensive documentation that can prove your NIST 800-171 compliant security program exists. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!
- Time Savings - Time is money! Our cybersecurity documentation addresses DFARS and FAR requirements and this can provide your organization with a semi-customized solution that requires minimal resources to fine tune for your organization's specific needs.
- Alignment With Leading Practices - We did the heavy lifting. Our documentation is mapped to the NIST 800-53, as well as other leading security frameworks!
ComplianceForge even has a "consultant in a box" product, the NIST 800-171 Compliance Criteria (NCC):
[click to see the NCC]
FAR vs DFARS Implications
When you look at choosing ISO or NIST from the viewpoint of complying with US government regulations, there are considerations that need to be accounted for since FAR has different requirements from DFARS.
- If you only need to address FAR 52.204-21, it is possible to comply with either ISO 27002 or NIST 800-53.
- However, if you need to address DFARS 252.204-7012, ISO 27002 is insufficient and you need to align with NIST 800-53.
Not Sure Where To Start With NIST 800-171 Compliance?
If you are not sure where to start, we put together a short video with some helpful guidance on how to get on the path to getting compliant with NIST 800-171 (just click on the image below):
If you want to learn more about NIST 800-171 requirements and how to minimize scoping, we recommend pouring yourself a cup of coffee and watching the video we put together (just click on the image below):
Comprehensive NIST 800-171 Compliance Documentation
ComplianceForge has NIST 800-171 compliance documentation that applies if you are a prime or sub-contractor.
Click here for a FREE GUIDE
We put together a guide to help companies scope their computing environment to help identify what is in scope for NIST 800-171 and was falls outside of scope.
NIST 800-171 Scoping Considerations
When you look at NIST 800-171 rev 1 compliance, it has some similarities to the Payment Card Industry Data Security Standard (PCI DSS).
From the perspective of PCI DSS, if scoping is done poorly, a company's entire network may be in-scope as the CDE, which means PCI DSS requirements would apply uniformly throughout the entire company. In these scenarios, PCI DSS compliance can be prohibitively expensive or even technically impossible. However, when the network is intelligently-designed with security in mind, the CDE can be a small fraction of the company's network, which makes compliance much more achievable and affordable.
We feel that NIST 800-171 should be viewed in the very same manner. This guide is meant to help companies identify assets within scope for NIST 800-171 and potentially find ways to minimize scope through isolation or controlled access.
Not sure what CUI is or if you have CUI on your network? Go to the US Government's authoritative source on the matter, the US Archives CUI Registry at https://www.archives.gov/cui/registry.
Is Your Organization Audit Ready for NIST 800-171?
When you "peel back the onion" and prepare for a NIST 800-171 audit, there is a need to address "the how" for certain topics. While policies and standards are designed to describe WHY something is required and WHAT needs to be done, many companies fail to create documentation to address HOW it gets done. We did the heavy lifting and created several program-level documents to address this need and they integrate with either the Written Information Security Program (WISP) or Digital Security Program (DSP) to provide your organization with a set of robust documentation to prepare for your audit.
Key Assumptions For NIST 800-171 That Impact Scoping
NIST 800-171 states that contractors may limit the scope of the CUI security requirements to those particular systems or components. Isolating CUI into its own security domain by applying architectural design principles or concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices) may be the most cost-effective and efficient approach for non-federal organizations to satisfy the requirements and protect the confidentiality of CUI. Security domains may employ physical separation, logical separation, or a combination of both.
Background on NIST 800-171 Rev 1 Controls
Appendix D of NIST 800-171 provides a direct mapping of CUI security requirements to the security controls in NIST 800-53 rev4 and ISO/IEC 27001:2013. This security control mapping information can be useful to organizations that wish to demonstrate compliance to the CUI security requirements in the context of their established information security programs, when such programs have been
built around the NIST or ISO frameworks. NIST 800-53 has direct mapping, where ISO 27001/27002 has gaps that would have to be filled with enhanced policies and standards.
NIST 800-171 requires private companies to protect the confidentiality of Controlled Unclassified Information (CUI). The CUI requirements within NIST 800-171 are directly linked to NIST 800-53 MODERATE baseline controls and are intended for use by federal agencies in contracts or other agreements established between those agencies and non-federal organizations (e.g., government / DoD contractors), as it applies to:
- When CUI is resident in non-federal information systems and organizations;
- When the non-federal organization is not collecting or maintaining information on behalf of a federal agency or using or operating an information systems on behalf of an agency; and
- Where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry. The security requirements apply only to components of non-federal information systems that process, store, or transmit CUI, or that provide security protection for such components.
The good news is that ComplianceForge can help you with your compliance needs! We have affordable solutions that range from the NIST 800-171 Compliance Criteria (NCC) all the way to providing you with comprehensive cybersecurity policies and standards, such as the NIST 800-53 Written Information Security Program (WISP).
NIST 800-171 Compliance Criteria - Compliance Made Easy & Affordable!
We listened to our customers and we created a product specific to NIST 800-171 compliance. We had an overwhelming request from companies to help them become "NIST 800-171 compliant." Most have told use they do not know where to start, but they just know that this is a requirement they cannot run from.
The concept is pretty simple - the NCC goes through each NIST 800-171 requirement and maps it to the corresponding NIST 800-53 rev 4 controls. Each of those NIST 800-53 controls is explained as to what reasonably-expected criteria would be to meet that control. Additionally, the NCC provides applicable "best practice" guidance on what steps you need to take in order to comply. That is exactly what you would expect from a dedicated consultant!
Example NIST 800-171 Compliance Criteria (NCC) Template
Don't take our word for it - take a look at the example NIST 800-171 Compliance Criteria (NCC) worksheet to see for yourself the level of professionalism and detail that went into it.
Microsoft Excel Spreadsheet - NIST 800-171 "Consultant In A Box" Solution!
If you can use Microsoft Excel, then you can use the NCC to understand your requirements for compliance with NIST 800-171. There is no magic to it - it is a fully-editable Excel spreadsheet that contains exactly what a consultant will tell you:
- NIST 800-53 rev4 mapping to NIST 800-171 requirements.
- Reasonably-expected criteria to address the NIST 800-53 control.
- Applicable "best practice" guidance on what steps you need to take to be compliant.
- Self-assessment options to track where you are compliant and what needs work.
NIST 800-171 Compliance Through A NIST 800-53 Rev4-Based Cybersecurity Program
US Federal agencies require NIST 800-171 compliance for protecting the confidentiality of Controlled Unclassified Information (CUI). The CUI requirements within NIST 800-171 are directly linked to NIST 800-53 MODERATE baseline controls and are intended for use by federal agencies in contracts or other agreements established between those agencies and nonfederal organizations (e.g., government contractors), as it applies to:
- When CUI is resident in nonfederal information systems and organizations;
- When information systems where CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and
- Where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry
The NIST 800-171 requirements apply to all components of non-federal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The good news is that ComplianceForge can help you with your compliance needs!
Controlled Unclassified Information (CUI) - Understanding NIST 800-53 rev 4 MODERATE Controls
Does your company need to comply with NIST 800-171 requirements for MODERATE baseline controls from NIST 800-53 rev4? The good news is our NIST 800-53 based Written Information Security Program (WISP) has the documentation you need to comply with MODERATE baseline controls.
The CUI requirements developed from the tailored FIPS Publication 200 security requirements and the NIST 800-53 moderate security control baseline represent a subset of the safeguarding measures necessary for a comprehensive information security program. The strength and quality of such programs in nonfederal organizations depend on the degree to which the organizations implement the security requirements and controls that are expected to be routinely satisfied without specification by the federal government. This includes implementing security policies,
The combination of the basic and derived security requirements captures the intent of FIPS Publication 200 and NIST 800-53, with respect to the protection of the confidentiality of CUI in nonfederal information systems and organizations. Appendix D provides informal mappings of the CUI security requirements to the relevant security controls in NIST 800-53 and ISO/IEC 27001. The mappings are included to promote a better understanding of the CUI security requirements and are not intended to impose additional requirements on nonfederal organizations.
For ease of use, the security requirements are organized into fourteen families. Each family contains the requirements related to the general security topic of the family. The families are closely aligned with the minimum security requirements for federal information and information
systems described in FIPS Publication 200. The contingency planning, system and services acquisition, and planning requirements are not included within the scope of this publication due to the aforementioned tailoring criteria.
Address NIST 800-171 Compliance With The NIST-based Written Information Security Program (WISP)
The NIST version of the Written Information Security Program (WISP) is a comprehensive set of IT security policies and standards that is based on the National Institute of Standards & Technology (NIST) 800-53 rev4 framework and it can help your organization become compliant with NIST 800-171 requirements
This NIST-based WISP is a comprehensive, customizable, easily-implemented Microsoft Word document that contains the NIST 800-53 rev4-based policies, control objectives, standards and guidelines that your company needs to establish a robust cybersecurity program. Being a Microsoft Word document, you have the ability to make edits to suit your company's specific needs.
NIST 800-53 is the de facto standard for cybersecurity requirements that is issued by the US government. Therefore, government agencies, defense contractors, telecom service providers, health care providers, financial companies or any organizations that contract with the government tend to adopt NIST-based best practices over all other frameworks, based on regulatory requirements.
You can see an example of the NIST 800-53 WISP here.
What Does NIST 800-171 Require?
NIST 800-171 describes fourteen (14) families of security requirements for protecting the confidentiality of CUI. The families are aligned with the minimum security requirements for federal information and information systems described in Federal Information Processing Standard (FIPS) 200, with exceptions for contingency planning, system, and services acquisition and planning requirements.
Appendix D of NIST 800-171 maps requirements to both NIST 800-53 rev4 and ISO 27002:2013 best practices. Only NIST 800-53 offers complete coverage for NIST 800-171 requirements.
Does Compliance with ISO 27001/27002 Equal Compliance with NIST 800-171?
No. Compliance with ISO 27001/27002 does not meet the requirements of Special Publication 800-171. In fact, NIST 800-171 (Appendix D) contains maps how the CUI security requirements of NIST 800-171 map to NIST 800-53 and ISO 27001/27002 security controls. This includes callouts where the ISO 27001/27002 frameworks do not fully satisfy the intent of NIST 800-171.