Get Support
Book Discovery Session

Federal information systems deal with sensitive government data and require advanced security and compliance efforts. Contractors for the DoD and other government agencies must protect high-profile information and mitigate the ongoing threat of cyberattacks. To keep data secure, they follow a clearly-defined set of federal compliance guidelines. 

However, many contractors are reluctant or unsure of how to adopt critical security best practices. NIST SP 800-171 solves for uncertainty by aligning DoD contractors behind a unified set of standards to ensure cyber hygiene and to safeguard Controlled Unclassified Information (CUI).


What Is NIST SP 800-171?

Established in 1901, the National Institute of Standards and Technology (NIST) is a government agency within the U.S. Department of Commerce. NIST promotes innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. 

NIST has created thousands of standards and special publications, including NIST SP 800-171, which defines how to protect and distribute Controlled Unclassified Information (CUI) made or possessed by non-federal entities.

Who Does NIST SP 800-171 Apply To?

Anyone who processes, stores, or transmits CUI for the Department of Defense (DoD), General Services Administration (GSA), NASA, and other federal and state agencies, including contractors, must meet the standards outlined in 800-171.


What Is CUI?

Controlled Unclassified Information (CUI) is unclassified and not strictly regulated by the federal government but is sensitive and needs safeguarding.

There are numerous categories of CUI that include:

  • Electronic files
  • Emails
  • Email attachments
  • Proprietary information
  • Blueprints
  • Paper files

So what kind of information would be considered sensitive but not be classified?

An example might be the design for a widget created independently, then later used in military aircraft production. While seemingly insignificant compared to the specifications for a weapons system, it's not something you'd want falling into the wrong hands.

Why Does CUI Need Safeguarding?

According to a 2015 New York University study, approximately nine million people work for the federal government, 40% of whom are private contractors responsible for safeguarding CUI. Like nearly every business, they are under the constant threat of a data breach.

From massive data breaches at Marriott in 2018 and Equifax in 2017 to the 2013 Yahoo! breach that involved three billion users, the scale and severity of cyberattacks has escalated over the past decade. With these increases comes an influx of notable breaches involving DoD contractors.

Contractors in the Crosshairs

2018 Navy Project “Sea Dragon”

Chinese government hackers compromised a contractor working for the Naval Undersea Warfare Center, a military organization headquartered in Newport, R.I. that conducts research and development for submarines and underwater weaponry. The 614GB of material stolen included project details, sensor data, and cryptographic systems information – highly sensitive data housed on an unclassified network.

2018 DoD DTS Employee Information

Hackers compromised a DoD contractor responsible for employee travel records. As many as 30,000 employees were potentially affected, with personal information compromised including credit card data.



Although federal information systems were regulated by NIST 800-53, until 800-171 no such standards existed for commercial contractors that support the DoD and other government agencies. Cyber attackers were targeting these smaller businesses, which typically allocate a smaller budget (if any) to security, making them vulnerable to breaches. 

With NIST 800-171, the U.S. government made it difficult for hackers to access sensitive information that federal contractors handle by establishing standards that define how to safeguard CUI.


NIST 800-171 Categories and Controls

The NIST Cybersecurity Framework (of which SP 800-171 is a part) covers five elements:

Cybersecurity Framework

Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. 

Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. 

Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.

Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

NIST SP 800-171 originates from a combination of FIPS 200 and NIST SP 800-53. It contains 110 security controls across the following 14 categories and covers both administrative and technical categories:

  • 3.1 Access Control
  • 3.2 Awareness and Training
  • 3.3 Audit and Accountability
  • 3.4 Configuration Management
  • 3.5 Identification and Authentication
  • 3.6 Incident Response
  • 3.7 Maintenance
  • 3.8 Media Protection
  • 3.9 Personnel Security
  • 3.10 Physical Protection
  • 3.11 Risk Assessment
  • 3.12 Security Assessment
  • 3.13 System and Communications Protection
  • 3.14 System and Information Integrity

The following chart shows a breakdown of the NIST 800-171 categories and the type of response they fall into.

Implementing NIST SP 800-171

Several of these controls typically require third-party software to achieve compliance. However, it's important to note that not all of the categories are IT–related. Some address physical security, personnel, and awareness and training – so be wary of anyone selling a 100% software-based NIST compliance package.

Like all things government, the specific security controls addressed within each 800-171 category can be confusing. Our guide, NIST SP 800-171 Controls Explained, uses simple and direct language to spell out the exact requirements in each control.

NIST SP 800-171 Controls Explained

Don't Speak Government?
Here Are the Controls Simplified

View the Controls ›


A Requirement, Not an Option

Due to CUI's sensitivity and persistent security risks, all government contractors who work with this type of information must follow NIST 800-171 controls.

In response to 800-171, updated DoD contracts contain verbiage related to CUI protection. Contracts now state that by submitting a response to the RFP, contractors certify that they are compliant with NIST 800-171 – and noncompliance could result in failure to obtain new contracts, loss of current contracts, and removal from the DoD Approved Vendor list.

NIST 800-171 was published in 2017 as a federal requirement; however, until 2019, government contractors only needed to self-attest that they were compliant with 800-171 or actively working towards meeting the controls.

From Self-Verification to Mandatory Audits

Unfortunately, self-verification allowed a majority of private contractors to ignore NIST guidelines. Although they technically needed to meet the standards, the lack of a third-party auditing or follow-up meant contractors could claim compliance to win a contract without any backlash for ignoring the requirements once the project began.

In 2019, the DoD responded by announcing that all contractors had 18 months to become compliant. At the end of that window, every private contractor working with the DoD would be subject to audit. Those found to be non-compliant would lose current contracts and be unable to secure any future ones.

While these updated audit regulations may at first appear overly strict, they're a critical aspect of NIST SP 800-171. The original deadline to become NIST compliant was in December 2017, but various security risks abounded when both contractors and the DoD failed to take it seriously. To mitigate the risks the self-verification model couldn't solve, contractors must prioritize a NIST Compliance Audit to protect current and future DoD contracts.

As of February 2018,

around 8% of private contractors reported a data breach at least one time since 2016. In many of those cases, there were multiple breaches. That means personal information for nearly 300,000 employees was compromised.


Even more concerning is the possibility that bad actors accessed sensitive CUI. In fact, there are reports that adversaries of the United States have developed military equipment from stolen design data.


In response to the failure of self-assessment, the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) announced the Cybersecurity Maturity Model Certification (CMMC), a new certification model designed to verify that DoD contractors have sufficient controls to safeguard sensitive data.

Built in part from NIST 800-171 and other cybersecurity frameworks, the first phase of CMMC takes effect in January 2021. Once it's fully adopted, any organization intending to do business with the DoD will be subject to a mandatory audit to obtain CMMC certification before a contract is awarded.

Though it would ostensibly seem that CMMC will be replacing NIST 800-171, it’s important to note that the two are not interchangeable. While both NIST 800-171 and CMMC primarily focus on CUI, NIST 800-171 also addresses 63 Non-Federal Organization (NFO) controls. So CMMC certification will not ensure NIST compliance.

CMMC is moving quickly. As it’s implemented over the next few years, details and requirements may change. Peerless can help you navigate the ins and outs of federal compliance with 800-171 so you’re fully equipped to tackle CMMC and other related regulations during transition periods and into the future of your organization.

NIST 800-171 Compliance Webinar

Learn Why NIST 800-171 Is Critical for DoD Contractors


Getting Started

Becoming NIST compliant is an ongoing process. You must continuously assess, design, deploy, and manage your systems. You need to:

  • Assess your current security controls
  • Design required changes within your systems
  • Deploy those changes within your system and enforce your new policies
  • Manage the system continuously

However, you can create two essential documents – a System Security Plan (SSP) and Plan of Action and Milestones (POA&M) – to satisfy separate NIST controls:

SSP System Plan SecurityPOA&M Plan of Action and Milestones

Start by creating your SSP in a simple Excel document that outlines each control. Then go through each one and answer how you’ve implemented the control and whether it satisfies the requirement. If you currently do not satisfy the control, it goes into your Plan of Actions and Milestones (POA&M).

Example of an SSP NIST SP 800-171 Security Requirement

A POA&M is a key document that describes the current status of any vulnerabilities and the actions to be taken to correct them. It facilitates a disciplined and structured approach to tracking risk mitigation activities. The POA&M should include findings from regular ongoing monitoring as well as periodic security assessments, such as the annual assessment.

Example of a POA&M NIST Compliance 800-171 Control List



5 Tips: Preparing
for a NIST Assessment


What should you do if there's a potential compliance breach?

Contact the Department of Defense and begin a security incident report at

Identify any information that may have been lost or compromised as well as any computers, data, or accounts that may have been affected.

A professional assessment creates a strong foundation for your NIST 800-171 compliance plan. It evaluates your current security state to both identify where you're already meeting compliance standards and highlight gaps.

It's essential to have senior management involved and ready to work together before, during, and after your compliance assessment. Before the assessment, you should:

  1. Determine which employees need to be involved. The requirements within NIST 800-171 affect policies, configuration, software, and hardware. While not every employee will need to be involved in the assessment, most of your management team likely will.
  2. Identify your current security policies. Look at your existing policies and see what you already have in place, where you're lacking, and what could use improvement.
  3. Ensuring all employees understand the current policies. Do your employees know how to handle CUI, CDI, and any sensitive information within your organization? Even if your employees have seen this information, they may need a refresher or have outstanding questions about your policies. Be sure to include everyone from management to your IT department and administrative staff.
  4. Collect materials for the assessment team. Whether you're running an assessment in-house or through an outside company, you should compile all assessment materials before the process begins. These include policies, procedures, plans, designs, records, manuals, information system documentation, and legal requirements.
  5. Establish time frames for completing assessments. Put realistic due dates on when each piece of your assessment will be completed and stick to your timeline throughout the process.

The Benefits of Professional Guidance

Because contractors could self-verify for NIST 800-171 in the past, many believed that they could navigate the entire compliance process alone. However, due to data sensitivity and the seriousness of a potential breach, it's wise to work alongside a partner with expertise in NIST 800-171 compliance.

Achieving (and maintaining) NIST compliance is an exhaustive and ongoing process. An expert will be able to guide you through both the implementation of the standards and continued compliance.

Implementing Compliance

  • Assessing your current environment
  • Generating your initial SSP and POA&M
  • Designing the required system and policy changes
  • Deploying required changes

Continuing Compliance

  • Using Security Incident and Event Management (SIEM) 
  • Updating the SSP and POA&M
  • Enforcing new policies
  • Conducting regular system audits

The risk and repercussions of a cybersecurity attack are too severe for you to tackle NIST or CMMC compliance alone. Consult with an expert to protect your employees, your business, and the sensitive DoD data you work with every day.

Need Help With NIST?
Get Compliant in as Few as 30 Days

Work With Us ›

Need Help With NIST?