NIST 800-171 / DFARS

Everything you need to know about NIST 800-171/DFARS  

For NIST 800-171, federal contracts often require the use of contractor-owned information systems to process federal information. These information systems do not always meet government security standards, which has led to information being compromised. 

As a result, Defense Federal Acquisition Regulations (DFARS) stipulate that federal contractors and subcontractors that process, transmit or store sensitive information, or what the government calls Controlled Unclassified Information (CUI), must comply with the cybersecurity requirements listed in the National Institute of Standards and Technology (NIST) publication 800-171 (NIST 800-171). 


What is CUI?    

CUI is confidential information that is not designated as classified, secret, or for official use only. The list is exhaustive. CUI includes personally identifiable information, financial data, patent applications and inventions, court records, death records and military personnel records, federally funded research, critical infrastructure data, U.S. Census data, federal taxpayer information and proprietary business information. 

Understanding the NIST 800-171 framework 

 To comply with NIST 800-171, it helps to understand how the requirements are structured.  

 At its core are five “functions” or pillars to help organizations identify and prioritize actions in managing cybersecurity risk. The five core functions serve as a roadmap, from evaluating the business environment to recovering from a cybersecurity attack. 

Each function is divided into 23 “categories” of activities intended to achieve specific outcomes based on their effectiveness in managing risk, as illustrated below. 

Function 1: Identify Develop an organizational understanding of systems people, assets, data and capabilities to manage risk. 
Function 2: Protect Develop and implement appropriate safeguards to protect critical services.  
Function 3: Detect Develop appropriate activities to identify occurrence of a cybersecurity event. 
Function 4: Respond Develop appropriate action in response to a cyber incident. 
Function 5: Recover Develop and maintain plans to reduce the impact from a cyberattack. 

Begin the Compliance process today.

Our team of consultants can help you begin your compliance journey, or meet you in the middle, wherever you may already be. Contact us to ensure your journey to compliance is successful.