For NIST 800-171, federal contracts often require the use of contractor-owned information systems to process federal information. These information systems do not always meet government security standards, which has led to information being compromised.
As a result, Defense Federal Acquisition Regulations (DFARS) stipulate that federal contractors and subcontractors that process, transmit or store sensitive information, or what the government calls Controlled Unclassified Information (CUI), must comply with the cybersecurity requirements listed in the National Institute of Standards and Technology (NIST) publication 800-171 (NIST 800-171).
CUI is confidential information that is not designated as classified, secret, or for official use only. The list is exhaustive. CUI includes personally identifiable information, financial data, patent applications and inventions, court records, death records and military personnel records, federally funded research, critical infrastructure data, U.S. Census data, federal taxpayer information and proprietary business information.
To comply with NIST 800-171, it helps to understand how the requirements are structured.
At its core are five “functions” or pillars to help organizations identify and prioritize actions in managing cybersecurity risk. The five core functions serve as a roadmap, from evaluating the business environment to recovering from a cybersecurity attack.
Each function is divided into 23 “categories” of activities intended to achieve specific outcomes based on their effectiveness in managing risk, as illustrated below.
Our team of consultants can help you begin your compliance journey, or meet you in the middle, wherever you may already be. Contact us to ensure your journey to compliance is successful.