NIST Compliance FAQ

Your guide to the NIST SP800-171 regulations.

What you Need to Know About the NIST Regulations

In recent years, the Department of Defense, along with several other federal agencies, have grown increasingly concerned about the state of information security within the non-federal systems and organizations with which it does business. While many businesses fulfill contracts with the DoD without handling classified information, even unclassified documents can be sensitive enough to pose a risk to information security.

Responding to these concerns, the National Institute of Standards and Technology issued a series of regulatory guidelines designed to help businesses contracting with the federal government better protect this sensitive data. These protocols are known as NIST SP 800–171.

Businesses who intend to continue fulfilling DoD contracts—as well as those who hope to fulfill such contracts in the future—must meet these standards to qualify. Achieving NIST SP 800–171 compliance will also help businesses prepare for Cybersecurity Maturity Model Certification (CMMC) requirements.

How Can We Help?


Contact Us

Frequently Asked Questions

If your business intends to continue fulfilling DoD contracts, we’ve assembled a list of FAQs to help you understand these regulations and what they mean for your business.

What are these regulations for defense contractors I’m hearing about?

The Department of Defense, in conjunction with various federal agencies, have implemented an entirely new approach for safeguarding data. This approach is designed for government contractors. It instructs them as to how they should:

  • Safeguard special kinds of data that exist throughout the contract fulfillment process
  • Report breaches of their systems to the DoD
  • Fix any shortfalls in the security of their systems

If you hold a contract with the DoD, or are fulfilling part of that contract on behalf of another contracting agency, these regulations apply to you.

What is NIST SP 800-171?

SP 800-171 was established by the National Institute of Standards and Technology (NIST) as a set of guidelines and best practices to protect the confidentiality of Controlled Unclassified Information (CUI) in nonfederal systems. Derived from NIST SP 800-53, NIST SP 800-171 consists of 14 control families including:

  • Access control
  • Awareness & Training
  • Audit & Accountability
  • Configuration Management
  • Identification & Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Risk Assessment
  • Security Assessment
  • System & Communication
  • Protection
  • System & Information Integrity
How does DFARS 252.204-7012 relate to NIST SP 800-171?

The Department of Defense (DoD) has implemented a number of cybersecurity controls and practices through different policies and clauses, which includes DFARS 252.204-7012. This clause requires you, as the contractor, to follow the guidelines specified within NIST SP 800-171 to safeguard information systems that are used to process, store, or transmit CUI.

The clause also differs from just NIST SP 800-171 requirements by requiring contractors to report system compromises to the DIBnet (DoD) within 72 hours of incident discovery.
What is Controlled Unclassified Information (CUI)?

CUI refers to unclassified information that may be deemed sensitive and/or protected from public disclosure. CUI’s categorization includes many types of information including defense information, also known as Covered Defense Information or CDI. Defense information such as technical drawings, datasheets, designs specs, or manuals can all be considered as CUI or CDI.

How will the federal government enforce and monitor these regulations?

The federal government is coming at this from several angles, including:

  • New DFARS clauses in your contracts
  • New laws that govern liability protections for government contractors
  • New rules for how quickly you must report breaches to the DoD
  • A written standard for security practices in your organization

These new mechanisms went into effect on December 31st, 2018. If you are pursuing a DoD contract, you will need to meet these regulations before it can be granted.

How are these federal enforcement strategies related?

Here’s the best way to think of it: the contract clauses determine the standard you must follow. The standards (defined in the DFARS clauses) require that certain proofs of compliance or timely reports be submitted to your contracting officer, prime contractor, and/or the DoD CIO. Not following those standards can result in liability protections (afforded to you as a federal contractor) being lifted, which would expose you to criminal, civil, or administrative action.

What DFARS clauses can I expect to find in my contracts?

The presence of certain Defense and Federal Acquisition Regulation Supplement (DFARS) clauses in your contracts inform you that you must indeed follow these new procedures as a defense contractor.

Some of the most common are:

DFARS 252.204-7008: By submitting a bid for this contract, you are committing to implement a new data security standard (NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”) within 30 days of being awarded the contract.

DFARS 252.204-7009: The controlled data you receive from the government can only be used for government contracting purposes. You must also make sure that your subcontractors understand and agree to this restriction.

DFARS 252.239-7009: You must tell the federal government if you plan on using cloud computing while fulfilling the contract.

DFARS 252.204-7012: This is the big clause. If this clause is found in your contract, then you must do the following:

  • Adhere to all of the requirements found in NIST SP800-171 within 30 days of being awarded the contract.
  • If you cannot meet a particular requirement in NIST SP800-171, you must request permission to vary from the standard. This request is submitted to your contracting officer and the DoD CIO.
  • Any cloud services used to fulfill this contract must meet security requirements equivalent to those found in FedRAMP certifications for cloud service providers. These cloud providers must also follow the security and reporting guidelines found in this clause.
  • You must report any cyber incidents to the DoD within 72 hours, using a medium assurance certificate for encrypted communications. You must also cooperate with the DoD in their investigation of the incident.
  • You must enforce similar strategies amongst your own subcontractors, gaining approval for their organizations to vary from the NIST SP800-171 standards, and making sure that cyber incidents are properly reported.
How do I show that I’m compliant?

Some prime contractors are asking for proof of compliance before you can bid on new contracts. The federal government (and contracting officers) are requiring proof of compliance within 30 days of contract award.

Proof of compliance consists of three key documents:

  1. A system security plan. This document outlines the systems in your organization that collect, store, and transmit CUI. It will also show (usually as a diagram), how all those systems interconnect, and what their boundaries are. Finally, the document will contain an item-by-item list of all 110 NIST SP800-171 requirements, and a statement regarding your compliance with that requirement.
  2. A plan of action and milestones. For any areas where your organization is not compliant, you will describe how you will become compliant, or whether particular standards don’t apply to you. It’s important to note that you can still receive contract awards without being fully compliant, provided that your contracting officer accepts your plan of action, and the DoD CIO accepts any variances from the compliance standards.
  3. An incident response plan. This document will demonstrate that your organization has the ability to detect, mitigate, and report a cyber-incident to the DoD within the 72-hour timeline required by the DFARS clauses.
  4. Submission of Compliance Score. You must submit your NIST SP 800-171 compliance score to the SPRS system.
What kind of commitment is required to meet this standard?

The primary commitment of any organization meeting these compliance standards will be the time spent by their personnel. Even with the help of professionals, the organization will need to provide executive sponsorship, a team of operations, HR, and IT professionals, and must work towards a thorough understanding of the standards outlined in DFARS clauses.

From a financial perspective; the costs of becoming compliant will vary greatly. Most small businesses we’ve met with have spent between $60,000 and $100,000 to become compliant. We’ve also helped some very small contractors achieve compliance for under $10,000, with ongoing costs of only a few thousand dollars per year.

The costs associated with becoming compliant scale based on several factors:

  • The size and complexity of the organization
  • The number of systems that collect, store, and transmit CUI
  • Any previous compliance efforts (ISO, ITAR, etc) which have accustomed the organization to compliance efforts
  • The presence of key technology investments (such as a domain network, strong Active Directory design, a next-generation firewall, etc) which can be adjusted, rather than replaced
  • Written policies, procedures, and response plans

Ultimately, an organization needs to make a long-term commitment to meet these standards, and to incorporate strong security practices into their culture.

What should my next steps be?

The first thing you should determine is whether you even want to fulfill defense contracts. Many organizations began government contracting as a way to diversify their revenue streams. That’s still a valid reason, but companies need to decide if they’re in a position to dedicate the time and resources towards meeting the standards that are defined in these clauses, and still be profitable.

Next, you should map the presence of CUI in your organization, and determine how many of your systems, applications, and users are involved in processes that contain CUI. This will help you to understand whether CUI is pervasive throughout your organization, or whether it is contained within a few systems or user groups.

Once you have a scope of CUI-related environments, you can decide whether you should apply the new standards to a controlled subset of your business, or across the entire organization. Understanding the “scope of standards” will allow you to scale your expectations for the commitment of time and resources required to continue government contracting.

Brightline can assist with these steps. We will apply our experience in meeting NIST SP800-171 requirements for cybersecurity to your business which can shorten the overall process for becoming compliant. We offer the following services to jump start or lead your organization towards compliance.

Our Initial Engagement will provide you with information regarding DFARS, DFARS clauses, and the NIST SP800-171 standard and required documentation for you to meet your initial compliance.

With our Program Management, we take on the role of Compliance Specialist for your company. We provide on-going guidance and direction for implementing technical solutions to satisfy and maintain full compliance with NIST SP800-171.

What is SPRS and what do I need to do about it?

Current DoD suppliers must have posted a NIST SP 800-171r2 adherence score in the U.S. Government’s Supplier Performance Risk System (SPRS), which requires a client to generate a System Security Plan and include a POAM (if necessary). This score is required by DFARS rule 252.204-7019.

While the CMMC Final Rule making process is ongoing, businesses intending to work with the DoD must perform a self-assessment in order to determine their Supplier Performance Risk System (SPRS) score. The SPRS score must be accurate, as there are penalties if a business claims a score and then fails to meet those standards under audit.

Not sure what your business needs to take its IT to the next level?

We can help! Contact us for a free consultation.

Contact Us Call Us: (248) 886-0248