NIST 800-171 Compliance - DFARS 252.204-7012 & FAR 52.204-21
ComplianceForge is an industry-leader in NIST 800-171 compliance. We specialize in cybersecurity compliance documentation and our products include the policies, standards, procedures and POA&M/SSP templates that companies (small, medium and large) need to comply with NIST 800-171. We've been writing cybersecurity documentation since 2005 and we are here to help make NIST 800-171 compliance as easy and as affordable as possible.
Our NIST 800-171 rev2 compliance products are designed to scale for organizations of any size or level of complexity, so we serve businesses of all sizes, from the Fortune 500 all the way to small and medium businesses. The focus of NIST 800-171 is to protect Controlled Unclassified Information (CUI) anywhere it is stored, transmitted and processed,
When you look at NIST 800-171 rev2 as it compares to other cybersecurity requirements, it is requiring companies to have a relatively-strong set of cybersecurity controls in place that range from administrative processes to protective technologies. We help customers that range from the Fortune 500 down to small and medium-sized businesses comply with this DFARS requirement. Our products are scalable, professionally-written and affordable.
As a quick summary of your requirements to comply with NIST 800-171, you are expected to have several different "documentation artifacts" to prove that your cybersecurity program exists. The reality with compliance assessments is that if something is not documented, you cannot prove it exists. Given that reality, you need to ensure your company has the proper cybersecurity documentation in place:
- Cybersecurity policies, standards & procedures
- System Security Plan (SSP) (requirement #3.12.4)
- Plan of Action & Milestones (POA&M) (requirements #3.12.1, 3.12.2, 3.12.3 & 3.12.4)
The chart below depicts all Capability Maturity Model Certification (CMMC) v1.02 requirements and how they map to other frameworks:
Did you know CMMC requires organizations to create, maintain and leverage a documented security strategy and roadmap to demonstrate how it is improving its cybersecurity practices that will be in-scope for review during a CMMC audit? CMMC C034-P1163 is applicable to L4 and L5 organizations. To address this need, ComplianceForge launched its Cybersecurity Business Plan (CBP) that is a business plan template that is specifically tailored for a cybersecurity department, which is designed to support an organization's broader technology and business strategies. The CBP is entirely focused at the CISO-level, since it is a department-level planning document. The CBP is a solution to address CMMC requirement P1163 in an efficient and cost-effective manner.
The "NIST 800-171 in a nutshell" graphic show below helps depict NIST 800-171 requirements from either a policy, standard or procedure perspective. This can help better visualize what the various requirements are (e.g., administrative, technical solutions, configurations, etc.).
Not Sure Where To Start With NIST 800-171 Compliance?
If you are not sure where to start, we put together a few short videos with some helpful guidance on how to define CUI and get on the path to getting compliant with NIST 800-171. If you want to learn more about NIST 800-171 requirements and how to minimize the impact to your company through scoping your compliance needs, we recommend pouring yourself a cup of coffee and watching these videos:
NIST 800-171 Scoping Considerations - Free Guide To Reducing Controlled Unclassified Information (CUI)
Click here for a FREE GUIDE
We put together a free guide to help identify what is in scope for NIST 800-171. Once you know what your CUI is, the next step is to scope your environment and this is a valuable guide for those efforts. Not sure what CUI is or if you have CUI on your network? Go to the US government's authoritative source on the matter, the US Archives CUI Registry at https://www.archives.gov/cui/registry.
When you look at NIST 800-171 rev 1 compliance, it has some similarities to the Payment Card Industry Data Security Standard (PCI DSS). That may sound odd to you, but from the perspective of PCI DSS, if scoping is done poorly, a company's entire network may be in-scope as the Cardholder Data Environment (CDE), which means PCI DSS requirements would apply uniformly throughout the entire company. The same holds true for CUI environments. In these scenarios, PCI DSS compliance can be prohibitively expensive or even technically impossible. However, when the network is intelligently-designed with security in mind, the CDE can be a small fraction of the company's network, which makes compliance much more achievable and affordable.
Based on a lack of scoping guidance from the DoD, our assessment of scoping NIST 800-171 is that it should following a similar, structured approach to scoping that is used for PCI DSS compliance. The reason for this is the proposed approach is a reasonable method, based on accepted practices to comply with cybersecurity requirements. This guide is meant to help companies identify assets within scope for NIST 800-171 and potentially find ways to minimize scope through isolation or controlled access.
What ComplianceForge Products Apply To NIST 800-171 rev2 Compliance?
Complying with the requirements from DFARS goes beyond just having policies and standards. When you break down the requirements to comply with DFARS / NIST 800-171, you will see how ComplianceForge's products address a specific DFARS compliance need. In the chart, "NFO" stands for Non-Federal Organization. NFO controls are required for contractors and are called out in Appendix E of NIST 800-171. Aligning with NIST 800-53 is the most straightforward approach to complying with NIST 800-171, based on the official mappings in Appendices D & E of NIST 800-171.
|ComplianceForge Product||DFARS / NIST 800-171||NIST 800-53|
Cybersecurity & Data Protection Program (CDPP) or
[policies & standards map to all NIST 800-171 rev1 requirements]
NIST 800-171 (multiple NFO controls)
|Vendor Compliance Program (VCP)||252.204-7008
NIST 800-171 NFO PS-7
|Cybersecurity Risk Management Program (RMP)||252.204-7008
NIST 800-171 NFO RA-1
|Cybersecurity Risk Assessment Template (CRA)||252.204-7008
NIST 800-171 3.11.1
|Vulnerability & Patch Management Program (VPMP)||252.204-7008
NIST 800-171 3.11.2
|Integrated Incident Response Program (IIRP)||252.204-7008
NIST 800-171 3.6.1
|Security & Privacy By Design (SPBD)||252.204-7008
NIST 800-171 NFO SA-3
|System Security Plan (SSP)||252.204-7008
NIST 800-171 3.12.4
|Cybersecurity Standardized Operating Procedures (CSOP)||252.204-7008
NIST 800-171 (multiple NFO controls)
|Continuity of Operations Plan (COOP)||252.204-7008
NIST 800-171 3.6.1
|Secure Baseline Configurations (SBC)||252.204-7008
NIST 800-171 3.4.1
|Information Assurance Program (IAP)||252.204-7008
NIST 800-171 NFO CA-1
Documentation Done Right - Our Solution Is Designed To Be Scalable, Comprehensive & Efficient
We leverage the Hierarchical Cybersecurity Governance Framework to develop the necessary documentation components that are key to being able to demonstrate evidence of due diligence and due care for our clients. This methodology towards documentation acknowledges the interconnectivity that exists between policies, control objectives, standards, guidelines, controls, risks, procedures & metrics. This documentation model works well with ISO 27002, NIST CSF, NIST 800-171, NIST 800-53, FedRAMP, CIS CSC Top 20, PCI DSS, Secure Controls Framework (SCF) and other control frameworks.
Essentially, ComplianceForge simplified the concept of the hierarchical nature of cybersecurity and privacy documentation that you can see in the downloadable diagram shown below. This helps demonstrate the unique nature of these components, as well as the dependencies that exist. You can download the example to better understand how we write our documentation that links policies all the way down to metrics. This is a great solution for any organization currently using or migrating to a Governance, Risk & Compliance (GRC) or Integrated Risk Management (IRM) platform to help automate their governance practices.
Framework Alignment Matters For CMMC 2.0 & NIST 800-171 Compliance!
Many people ask how NIST 800-171 is different from NIST 800-53. In reality, there is no NIST 800-171 vs NIST 800-53, since everything defaults back to NIST 800-53. Our solutions address both DFARS and FAR requirements for protecting Controlled Unclassified Information (CUI) by addressing NIST 800-171 and its corresponding NIST 800-53 requirements.
When it comes to being "audit ready" for a company with NIST 800-171, there is no such thing as "Bronze, Silver or Gold" levels of compliance since a standard is a standard for a reason. This is where documentation is king, since in cybersecurity compliance audits, if it is not documented then it does not exist.
ComplianceForge can provide you with the documentation you need to demonstrate evidence of due care and due diligence to be considered compliant (e.g., policies, standards, procedures, SSP & POA&M). Our affordable solutions range from cybersecurity policies & standards documentation, to NIST 800-171 compliance checklists, to program-level documentation, such as "turn key" incident response, risk management or vulnerability management program documents. Our focus is on helping you become audit ready!
NIST 800-171 is intended to force contractors to adhere with reasonably-expected security requirements that have been in use by the US government for years. NIST 800-171 establishes a basic set of expectations and maps these requirements to NIST 800-53, which is the de facto standard for US government cybersecurity controls. In some ways, this is a good thing since the US government is not reinventing the wheel with new requirements. Instead, the DoD selected moderate-level controls from an existing set of recognized best practices, commonly used throughout the DoD and Federal agencies. In the long run, this will help both the US government and private businesses speak the same language for cybersecurity.
The bottom line is NIST 800-171 creates a standardized and uniform set of requirements for all Controlled Unclassified Information (CUI) security needs. This is designed to address common deficiencies in managing and protecting unclassified information by that is being stored, transmitted or processed by private businesses.
Cost of Non-Compliance With NIST 800-171 (DFARS 252.204-7012)
What can possibly go wrong with non-compliance in a contract with the U.S. Government?
- Contract Termination. It is reasonably expected that the U.S. Government will terminate contracts with prime contractors over non-compliance with DFARS / NIST 800-171 requirements since it is a failure to uphold contract requirements. Subcontractor non-compliance will cause a prime contractor to be non-compliant, as a whole.
- Criminal Fraud. If a company states it is compliant when it knowingly is not compliant, that is misrepresentation of material facts. This is a criminal act that is defined as any act intended to deceive through a false representation of some fact, resulting in the legal detriment of the person who relies upon the false information (e.g., False Claims Act).
- Breach of Contract Lawsuits. Both prime contractors and subcontractors could be exposed legally. A tort is a civil breach committed against another in which the injured party can sue for damages. The likely scenario for a DFARS / NIST 800-171-related tort would be around negligence on behalf of the accused party by not maintaining a specific code of conduct (e.g., DFARS / NIST 800-171 cybersecurity controls).
As you can see from those examples, the cost of non-compliance is quite significant. As always, seek competent legal counsel for any pertinent questions on your specific compliance obligations.
What Problem Does ComplianceForge Solve?
We sell cybersecurity documentation - policies, standards, procedures and more! Our documentation is meant to help companies become audit-ready!
- Lack of In House Security Experience - Writing security documentation is a skill that many good cybersecurity professionals simply are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive NIST 800-171 compliance documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. ComplianceForge offers NIST 800-171 documentation solutions that can save your organization significant time and money!
- Compliance Requirements - The reality of non-compliance with NIST 800-171 requirements means lost business and potential fines. In addition to losing contracts, charges of fraud may be leveled on companies that claim to be compliant with NIST 800-171 but cannot provide evidence. Our documentation can help you become and stay compliant with NIST 800-171 where you have documented evidence to prove it!
- Audit Failures - Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. Our documentation provides mapping to NIST 800-53 and other leading security frameworks to show you exactly what is required to both stay secure and compliant. Being editable documentation, you are able to easily maintain it as your needs or technologies change.
How Does ComplianceForge Solve It?
We take a holistic approach to creating comprehensive cybersecurity documentation that is both scalable and affordable. This is beyond just generic policies and allows you to build out an audit-ready cybersecurity program for your organization!
- Clear Documentation - In an audit, clear and concise documentation is half the battle. ComplianceForge provides comprehensive documentation that can prove your NIST 800-171 compliant security program exists. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!
- Time Savings - Time is money! Our cybersecurity documentation addresses DFARS and FAR requirements and this can provide your organization with a semi-customized solution that requires minimal resources to fine tune for your organization's specific needs.
- Alignment With Leading Practices - We did the heavy lifting. Our documentation is mapped to the NIST 800-53, as well as other leading security frameworks!
Microsoft Excel Spreadsheet - NIST 800-171 "Consultant In A Box" Solution!
If you can use Microsoft Excel, then you can use the NIST 800-171 & CMMC Compliance Criteria (NC3) to understand your requirements for compliance with NIST 800-171. There is no magic to it - it is a fully-editable Excel spreadsheet that contains exactly what a consultant will tell you:
- NIST 800-53 rev4 mapping to NIST 800-171 requirements.
- Reasonably-expected criteria to address the NIST 800-53 control.
- Applicable "best practice" guidance on what steps you need to take to be compliant.
- Self-assessment options to track where you are compliant and what needs work.
Don't take our word for it - take a look at the example NIST 800-171 & CMMC Compliance Criteria (NC3) worksheet to see for yourself the level of professionalism and detail that went into it.
DFARS 252.204-7012 (NIST 800-171 rev2) Implications and Federal Acquisition Regulation (FAR)
Many of our clients who need to address DFARS 252.204-7012 (NIST 800-171) also have to address FAR 52.204-21. One common question we receive from clients pertains to aligning with the correct security framework to ensure they have the proper coverage for compliance. This generally revolves around aligning with ISO 27001/27002 or NIST 800-53, since those are the two most common security frameworks.
The bottom line is that utilizing ISO 27001/27002 as a security framework does not meet the requirements of NIST 800-171. In fact, NIST 800-171 (Appendix D) maps out how the CUI security requirements of NIST 800-171 relate to NIST 800-53 and ISO 27001/27002 security controls. This includes callouts where the ISO 27001/27002 framework does not fully satisfy the requirements of NIST 800-171. Therefore, policies and standards based on NIST 800-53 are what is needed to comply with NIST 800-171. This is important to keep in mind, since FAR changes will require all US government contractors to adopt NIST 800-171 requirements in the near future.
NIST 800-171 isn’t just for Department of Defense (DoD) contractors. Representatives from the National Institute of Standards and Technology (NIST) and DoD officials have recently been putting this information out in webinars and other training seminars on NIST 800-171. This means that only the NIST 800-53 framework is going to meet FAR requirements - ISO 27002 and the NIST Cybersecurity Framework are going to be insufficient in coverage. This coming requirement for FAR cybersecurity compliance is specified on page v of NIST 800-171:
Executive Order 13556, Controlled Unclassified Information, November 4, 2010, establishes that the Controlled Unclassified Information (CUI) Executive Agent designated as the National Archives and Records Administration (NARA), shall develop and issue such directives as are necessary to implement the CUI Program. Consistent with this tasking and with the CUI Program’s mission to establish uniform policies and practices across the federal government, NARA is issuing a final federal regulation in 2016 to establish the required controls and markings for CUI government-wide. This federal regulation, once enacted, will bind agencies throughout the executive branch to uniformly apply the standard safeguards, markings, dissemination, and decontrol requirements established by the CUI Program.
With regard to federal information systems, requirements in the federal regulation for protecting CUI at the moderate confidentiality impact level will be based on applicable policies established by OMB and applicable government-wide standards and guidelines issued by NIST. The regulation will not create these policies, standards, and guidelines which are already established by OMB and NIST. The regulation will, however, require adherence to the policies and use of the standards and guidelines in a consistent manner throughout the executive branch, thereby reducing current complexity for federal agencies and their nonfederal partners, including contractors.
In addition to defining safeguarding requirements for CUI within the federal government, NARA has taken steps to alleviate the potential impact of such requirements on nonfederal organizations by jointly developing with NIST, Special Publication 800-171 — and defining security requirements for protecting CUI in nonfederal systems and organizations. This approach will help nonfederal entities, including contractors, to comply with the security requirements using the systems and practices they already have in place, rather than trying to use government-specific approaches. It will also provide a standardized and uniform set of requirements for all CUI security needs, tailored to nonfederal systems, allowing nonfederal organizations to be in compliance with statutory and regulatory requirements, and to consistently implement safeguards for the protection of CUI.
Finally, NARA, in its capacity as the CUI Executive Agent, also plans to sponsor in 2017, a single Federal Acquisition Regulation (FAR) clause that will apply the requirements contained in the federal CUI regulation and Special Publication 800-171 to contractors. This will further promote standardization to benefit a substantial number of nonfederal organizations that are attempting to meet the current range and type of contract clauses, where differing requirements and conflicting guidance from federal agencies for the same information gives rise to confusion and inefficiencies. The CUI FAR clause will also address verification and compliance requirements for the security requirements in NIST Special Publication 800-171. Until the formal process of establishing such a FAR clause takes place, the requirements in NIST Special Publication 800-171 may be referenced in federal contracts consistent with federal law and regulatory requirements. If necessary, Special Publication 800-171 will be updated to remain consistent with the federal CUI regulation and the FAR clause.
Affordable, Editable NIST 800-171 Compliance Documentation (DFARS 252.204-7012)
We listened to our customers and we created several products that are specific to NIST 800-171 compliance. We had an overwhelming request from companies to help them become NIST 800-171 compliant and most told us they do not know where to start, but they just know that this is a requirement they cannot run from.
The concept is pretty simple - the NIST 800-171 Compliance Criteria (NCC) goes through each NIST 800-171 requirement and maps it to the corresponding NIST 800-53 rev 4 controls. Each of those NIST 800-53 controls is explained as to what reasonably-expected criteria would be to meet that control. Additionally, the NCC provides applicable "best practice" guidance on what steps you need to take in order to comply. That is exactly what you would expect from a dedicated consultant! What do you get if you buy the NCC?
- The NCC is a “consultant in a box” solution that is essentially a NIST 800-171 checklist in an editable Microsoft Excel format.
- The NCC covers all controls in Appendix D of NIST 800-171.
- It also covers Appendix E Non-Federal Organization (NFO) controls, which are required by contractors.
- Each of the NIST 800-171 controls is mapped to its corresponding NIST 800-53 control.
- Each of the NIST 800-53 controls are broken down to identify:
- Reasonably-expected criteria to address the control.
- Applicable compliance guidance;
- Methods to address the requirement; and
- Status of compliance for each control so you can use it for a self-assessment.
- The NCC maps into the Cybersecurity & Data Protection Program (CDPP) and Digital Security Program (DSP) products, so they can work in concert together to make it easier to comply with NIST 800-171 since your organization can have NIST-based policies and standards to support NIST 800-171 compliance efforts.
Tripwire's State of Security Blog
Background on NIST 800-171 Rev 1 Controls
NIST 800-171 requires private companies to protect the confidentiality of Controlled Unclassified Information (CUI). The CUI requirements within NIST 800-171 are directly linked to NIST 800-53 MODERATE baseline controls and are intended for use by federal agencies in contracts or other agreements established between those agencies and non-federal organizations (e.g., government / DoD contractors). The good news is that ComplianceForge can help you with your compliance needs! We have affordable solutions that range from the NIST 800-171 Compliance Criteria (NCC) all the way to providing you with comprehensive cybersecurity policies and standards, such as the NIST 800-53 Cybersecurity & Data Protection Program (CDPP).
Appendix D of NIST 800-171 provides a direct mapping of CUI security requirements to the security controls in NIST 800-53 rev4 and ISO/IEC 27001:2013. This security control mapping information can be useful to organizations that wish to demonstrate compliance to the CUI security requirements in the context of their established information security programs, when such programs have been built around the NIST or ISO frameworks. NIST 800-53 has direct mapping, where ISO 27001/27002 has gaps that would have to be filled with enhanced policies and standards.
A central tenant to NIST 800-171 is a need to focus on secure engineering. However, it is important to keep in mind that this expectation for operationalizing security and privacy principles is not limited to NIST 800-171:
- NIST 800-53 - SA-8
- NIST Cybersecurity Framework - PR.IP-2
- ISO 27002 - 14.2.5 & 18.1.4
- Federal Acquisition Regulations (FAR) 52.204-21 - 4
- National Industrial Security Program Operating Manual (NISPOM) - 8-302 & 8-311
- SOC2 - CC3.2
- Generally Accepted Privacy Principles (GAPP) - 4.2.3, 6.2.2, 7.2.2 & 7.2.3
- New York State Department of Financial Service (DFS) - 23 NYCRR 500.08
- Payment Card Industry Data Protection Standard (PCI DSS) - 2.2
- Center for Internet Security Critical Security Controls (CIS CSC) - 1.2, 5.9, 6.2, 6.3, 6.4, 6.5, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 8.6, 9.1, 9.2, 9.3, 9.4, 9.5, 9.6, 11.4, 11.5, 11.6, 11.7, 13.4, 13.5 & 16.5
- European Union General Data Protection Regulation (EU GDPR) - 5 & 25
Key Assumptions For NIST 800-171 That Impact Scoping
NIST 800-171 states that contractors may limit the scope of the CUI security requirements to those particular systems or components. Isolating CUI into its own security domain by applying architectural design principles or concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices) may be the most cost-effective and efficient approach for non-federal organizations to satisfy the requirements and protect the confidentiality of CUI. Security domains may employ physical separation, logical separation, or a combination of both.
Is Your Organization Audit Ready for NIST 800-171?
When you "peel back the onion" and prepare for a NIST 800-171 audit, there is a need to address "the how" for certain topics. While policies and standards are designed to describe WHY something is required and WHAT needs to be done, many companies fail to create documentation to address HOW it gets done. We did the heavy lifting and created several program-level documents to address this need and they integrate with either the Cybersecurity & Data Protection Program (CDPP) or Digital Security Program (DSP) to provide your organization with a set of robust documentation to prepare for your audit. This gives you a full stack of documentation that covers your needs for policies, standards, procedures, System Security Plan (SSP) and a Plan of Action & Milestones (POA&M).
NIST 800-171 Compliance Through A NIST 800-53 Rev4-Based Cybersecurity Program
US Federal agencies require NIST 800-171 compliance for protecting the confidentiality of Controlled Unclassified Information (CUI). The CUI requirements within NIST 800-171 are directly linked to NIST 800-53 MODERATE baseline controls and are intended for use by federal agencies in contracts or other agreements established between those agencies and nonfederal organizations (e.g., government contractors), as it applies to:
- When CUI is resident in nonfederal information systems and organizations;
- When information systems where CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and
- Where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry
The NIST 800-171 requirements apply to all components of non-federal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The good news is that ComplianceForge can help you with your compliance needs!
Controlled Unclassified Information (CUI) - Understanding NIST 800-53 rev 4 MODERATE Controls
Does your company need to comply with NIST 800-171 requirements for MODERATE baseline controls from NIST 800-53 rev4? The good news is our NIST 800-53 based Cybersecurity & Data Protection Program (CDPP) has the documentation you need to comply with MODERATE baseline controls.
The CUI requirements developed from the tailored FIPS Publication 200 security requirements and the NIST 800-53 moderate security control baseline represent a subset of the safeguarding measures necessary for a comprehensive information security program. The strength and quality of such programs in nonfederal organizations depend on the degree to which the organizations implement the security requirements and controls that are expected to be routinely satisfied without specification by the federal government. This includes implementing security policies,
The combination of the basic and derived security requirements captures the intent of FIPS Publication 200 and NIST 800-53, with respect to the protection of the confidentiality of CUI in nonfederal information systems and organizations. Appendix D provides informal mappings of the CUI security requirements to the relevant security controls in NIST 800-53 and ISO/IEC 27001. The mappings are included to promote a better understanding of the CUI security requirements and are not intended to impose additional requirements on nonfederal organizations.
For ease of use, the security requirements are organized into fourteen families. Each family contains the requirements related to the general security topic of the family. The families are closely aligned with the minimum security requirements for federal information and information systems described in FIPS Publication 200. The contingency planning, system and services acquisition, and planning requirements are not included within the scope of this publication due to the aforementioned tailoring criteria.
What Does NIST 800-171 Require?
NIST 800-171 describes fourteen (14) families of security requirements for protecting the confidentiality of CUI. The families are aligned with the minimum security requirements for federal information and information systems described in Federal Information Processing Standard (FIPS) 200, with exceptions for contingency planning, system, and services acquisition and planning requirements.
Appendix D of NIST 800-171 maps requirements to both NIST 800-53 rev4 and ISO 27002:2013 best practices. Only NIST 800-53 offers complete coverage for NIST 800-171 requirements.