Obtaining NIST 800-171 Compliance

NIST 800-171

Achieving NIST 800-171 Compliance

For organizations handling controlled unclassified information (CUI), ensuring data protection is paramount as this data can be a target for serious, sophisticated cyberattacks. In fact, past and current orchestrated attacks on programs and assets containing CUI have prompted the Department of Defense (DoD) to work with and get the assistance of the National Institute of Standards and Technology (NIST).

The NIST, for its part, authored the NIST 800-171 back in December 2017 as a handy tool for companies to refer to in handling sensitive data. By using the NIST 800-171 checklist in your own company, you can help ensure data integrity and safety. In order to accomplish this, complying with the NIST 800-171 mandate is necessary.

Back in 2017, there were two ways to go about this: you could conduct a self-audit and self-attestation, or get the NIST 800-171 audit done by an independent third-party assessor that will also provide recommendations. After this, you would need to provide formal documentation to be submitted to primary contractors or sub-contractors of the DoD the moment a contract is initiated or renewed. Among the required documents were the System Security Plan (SSP) and Plan of Action with Milestones (POA&M).

However, one new major change in NIST 800-171 compliance is the creation of a certification called the Cybersecurity Maturity Model Certification (CMMC). This certification is meant to increase cybersecurity among companies involved with the federal government, or which form part of government supply chains. As a consequence, all companies are now mandated to get themselves audited by an independent, accredited third-party organizations.

Commissioning a Third-party Assessor

As mentioned earlier, companies involved in handling CUI are now required to obtain a CMMC through an accredited, third-party assessor. If you are already working with service providers that are experts in this area, you need to identify a vendor you can partner with for NIST 800-171 compliance. The type of vendor should be FISMA certified and familiar with specific cybersecurity skills and knowhow required by NIST.

Another important factor you need to consider is vendor experience when it comes to compliance audits and certification. Your audit partner should also have extensive project management experience so they can ably handle organizations of different scales.

The Assessment in Stages

An assessment for NIST 800-171 compliance would normally consist of three phases: an in-depth review of your business processes, a technical assessment of your current systems and networks, and a comprehensive analysis of data collected.

Each stage of the assessment normally takes anywhere between 20 and 30 days. However, this will depend a lot on the size of your organization, as well as the technology you already have in place. The main objective upon completion of the assessment is your baseline compliance.

Having the required critical security technology in your company can reduce the duration of the assessment and impact the costs of becoming NIST compliant. In such cases, the audit process would be more focused on identifying what process changes are needed to ensure that you meet NIST compliance requirements.

Once the assessment is done, the vendor would classify your company as being fully, partially, or not compliant. This final evaluation would come with supporting data and documentation. It will also contain recommendations regarding what your company needs to address or change to be fully compliant.

Even with the assessment over and done with, it would be beneficial for your company to target ongoing validation periodically to ensure you remain compliant with NIST 800-171. Doing so is not only meant to satisfy government requirements but, more importantly, to ensure data integrity and security at all times.

Interactive Security, Inc. has been at the forefront of providing industry leading expert information technology security services to clients across the globe – focused on IT Security Auditing & Compliance.


Vulnerability / Penetration Assessments ~ Application Security ~ PCI DSS ~ HIPAA ~ HiTRUST ~ ISO 27001 ~ FEDRAMP ~ FISMA/NIST ~ GDPR ~ Privacy Shield

Emory Vandiver

Emory Vandiver is the Vice President of Business Operations and a Partner at Interactive Security, where he is responsible for executing the company's strategy as a premier IT Security and Compliance provider. For over 20 years Emory has worked for leading enterprises across a diverse cross section of the information technology industry. His professional passion lies in understanding client business goals, challenging the status quo and leveraging technology-based solutions to maximize client performance. He strives to bring unique insight and value to his clients' businesses, along with a superior customer experience.