NIST SP 800-171 Cybersecurity Framework

Federal government contracts are excellent vehicles for sustaining and growing companies. Included among the terms and conditions for doing business with the federal government, however, are requirements for protecting government information. These requirements “flow down” to subcontractors-they are not limited to primary contractors. Different levels of security are required. Federal Contract Information (FCI) is protected under FAR 52.204-21[i] and is required for any federal contract. Additional security controls are required for the Department of Defense (DoD) supply chain. Those controls are described in the Defense Federal Acquisition Regulation Supplement (DFARS) by reference to the NIST SP 800-171 guidelines. Essentially, these controls protect Controlled Unclassified Information (CUI). In other words, they ensure sensitive information is kept confidential and secure.

What is CUI?

CUI stands for Control Unclassified Information and is sensitive but unclassified information the tis in the national security interest of the United States of America. This information is not intended to be public[iv].

What is NIST SP 800-171?

NIST, or the National Institute of Standards and Technology, has developed the Special Publication (SP) 800-171 as a set of guidelines derived from NIST SP 800-53[v] to protect Controlled Unclassified Information (CUI) in nonfederal organizations or systems. Organizations within the DoD supply chain that handle CUI must follow the recommendations in NIST SP 800-171, in addition to satisfying sections c through g of DFARS 7012[vi]. Organizations must implement the 110 security controls contained in the 14 Security Control Families listed below:

  • Access Control
  • Incident Response
  • Identification & Authentication
  • System & Information Integrity
  • Awareness & Training
  • Configuration Management
  • Security Assessment
  • Audit & Accountability
  • Maintenance
  • Media Protection
  • Risk Assessment
  • Personnel Security
  • System & Communications Protections
  • Physical Protection
  • iMpact Utah Services

    Is your organization ready to comply with DFARS and implement NIST SP 800-171 in Utah? Contact us below for more information about these services today, so your organization can comply with DoD regulations, start taking on new federal contracts-and reduce cybersecurity risk generally.


    [i] Addresses basic safeguarding of covered contractor information systems.

    [ii] These DFARS 252.204-7008 (safe guarding covered defense information or CDI); 7009 (limitations on the use or disclosure of third-party contractor reported cyber incident information), 7012 (safeguarding covered defense information and cyber incident reporting, 7019 (Notice of NIST 800-171 DoD Assessment Requirements), 7020 (reserves the right for onsite DoD assessment), and 7021 (Cybersecurity Maturity Model Certification Requirement

    [iii] DoD CUI Program
    [iv] National Archives, CUI
    [v] NIST SP 800-53, Security and Privacy Controls for [Federal Government Controlled] Information Systems and Organizations, which is now in its fifth revision.
    [vi] Sections c through g of DFARS 7012 describe requirements for reporting security incidents that involve the compromise of CUI.

    Reach Out To Learn More!

    • This field is for validation purposes and should be left unchanged.