Did you know that SOS doesn’t actually mean Save Our Ship or Save Our Souls? The letters were adopted as an international distress signal in 1908 --- for their simplicity and memorability. Similarly, NIST SP 800-171 may not ring a bell, but it could save your business from a devastating breach or potential fines.
You’ll want to comply with NIST SP 800-171 if your business is engaged in any of the following:
- Manufacturing weapons systems or similar types of assets as part of the Defense Industrial Base (DIB)
- Providing cloud services, IT support, technology solutions, or consulting services to federal agencies
- Conducting federally funded research in defense technologies, public health, energy efficiency, satellite science, or any areas aligned with federal priorities
What is NIST SP 800-171?
Overview of NIST SP 800-171 guidelines
NIST SP 800-171 is a standard for safeguarding the confidentiality of Controlled Unclassified Information (CUI) in non-federal systems and organizations.
It was developed by the National Institute of Standards and Technology in response to Executive Order 13556 for handling unclassified information securely.
NIST SP 800-171 Version 3 (updated from Version 2) is designed to address the newest national security threats, such as state-level espionage targeting CUI. Its main control families are:
|
Access Control |
Physical and Environmental Protection |
|
Awareness and Training |
Planning (new) |
|
Audit and Accountability |
Program Management |
|
Assessment, Authorization, & Monitoring |
Personnel Security |
|
Configuration Management |
PII Processing and Transparency |
|
Contingency Planning |
Risk Assessment |
|
Identification & Authentication |
System & Services Acquisition (new) |
|
Incident Response |
System & Communications Protection |
|
Maintenance |
System and Information Integrity |
|
Media Protection |
Supply Chain Risk Management (new) |
Complying with the document’s security requirements also makes defense and government contractors compliant with the Federal Acquisition Regulation (FARS) and the Defense Federal Acquisition Regulation Supplement (DFARS).
Here’s the main difference between the two:
- FARS defines the process for how federal agencies acquire goods and services.
- DFARS supplements FARS and governs collaborations between the Department of Defense (DoD) and defense contractors.
DFARS is our focus in this article because it’s tied to the handling of CUI.
Importance of protecting controlled unclassified information
Compliance with NIST SP 800-171 ensures CUI is adequately protected when stored, processed, or transmitted by non-federal organizations.
In May 2024, NIST published updated guidelines for protecting controlled unclassified information (CUI) in two publications:
- NIST SP 800-171 Revision 3
- Assessing Security Requirements for Controlled Unclassified Information (NIST SP 800-171A Revision 3).
The two publications draw heavily from NIST’s catalog of privacy and security controls (NIST SP 800-53) and the assessment of those controls (NIST SP 800-53A).
Ultimately, NIST SP 800-171 aligns closely with FISMA (the Federal Information Security Modernization Act).
BUT how does NIST SP 800-171 relate to FISMA?
Earlier, we mentioned DFARS and how it’s tied to the handling of CUI.
DFARS, particularly clause 252.204-7020, mandates NIST SP 800-171 compliance to ensure the protection of CUI.
Both NIST SP 800-171 and DFARS are central to implementing the information security objectives in FISMA (Federal Information Security Modernization Act).
For its part, FISMA emphasizes a risk-based approach to information security, highlighting the need for cybersecurity capability management, real-time access monitoring, and continuous identity verification to promote a Zero Trust framework.
In other words, both DFARS and NIST SP 800-171 help your organization comply with the Zero Trust principles of FISMA.
Applicability of NIST SP 800-171 to nonfederal systems and organizations
In this section, we answer the important question, “What are the requirements for compliance with NIST SP 800-171?”
To bid on or maintain contracts involving CUI, your organization must be compliant in both NIST SP 800-171 and DFARS.
To accomplish this, you’ll need a third-party assessment of your ability to protect CUI, and that assessment must be conducted by an independent C3PAO (CMMC Third-Party Assessor Organization).
CMMC stands for “The Cybersecurity Maturity Model Certification” and its newest iteration is CMMC 2.0.
There are three compliance levels in CMMC 2.0:
- Level 1 is for organizations working with federal contract information (FCI) and requires compliance with FAR 52.204-21.
- Level 2 is for organizations working with CUI and requires compliance with all 110 security controls in NIST 800-171.
- Level 3 is for organizations working with CUI with a high APT (Advanced Persistent Threat) risk and requires compliance with NIST 800-172.
If your organization is engaged in any activities that involve CUI, it must earn a Level 2 CMMC certification. Level 2 CMMC requirements are slated to be in contracts in Q1 2025.
C3PAOs will require a System Security Plan (SSP) from your organization to show its compliance.
In addition, any unmet controls or deficiencies must be remediated. Your organization will be expected to document all corrective actions in a Plan of Action and Milestones (POAM) document.
Benefits of NIST SP 800-171 Compliance
Enhanced data security and risk mitigation
SMBs are fast becoming key players in the defense supply chain.
However, more needs to be done for smaller suppliers, traditionally excluded from established supply chain risk management networks.
Currently, 81% of SMBs in the defense supply chain have initiated CMMC 2.0 certification (which aligns closely with NIST SP 800-171 compliance) -- but only 11% are compliant.
NIST SP 800-171 compliance can be a key part of securing both your organization’s reputation and bottom line.
Ultimately, it can help your business enjoy greater levels of resiliency and contribute more effectively to our collective defense, in line with the White House’s whole-of-nation approach to national security.
Building trust with customers and partners
By adhering to recognized security standards, you earn the trust of federal agencies you do business with. NIST 800-171 compliance demonstrates your commitment to CUI security, reinforcing your organization’s reputation as a trusted DoD vendor.
Meeting contractual obligations and regulatory requirements
NIST SP 800-171 compliance is a requirement for earning and maintaining federal contracts. As an SMB, non-compliance can result in a decreased competitive advantage. Prioritize compliance to ensure your organization maintains a high score on the DoD’s Supplier Performance Risk System (SPRS), thus highlighting your organization’s ability to protect CUI effectively.
NISTP 800-171 and LastPass
How LastPass supports NIST SP 800-171
At LastPass, we understand the importance of NIST SP 800-171 compliance for SMBs, and we support you with premium features that promote peace of mind:
- Secure password storage and encryption: Your most sensitive information will be securely protected in our PBKDF2-SHA 256 and AES-256 encrypted vaults.
- Strong password generation: LastPass generates long passwords to prevent weak password choices at the root of most credential-based attacks.
- Security Dashboard to monitor password hygiene: LastPass identifies all weak or compromised credentials to protect your information systems from being breached.
All the above aligns with the NIST SP 800-171 focus on identification, authentication, and access control.
Enhancing security and privacy with LastPass
As an organization that collaborates with federal agencies, protecting the privacy of your systems is critical.
At LastPass, we help you achieve this through two of the most robust access controls in cybersecurity: passwordless authentication and phishing-resistant MFA. The first improves your organization’s operational efficiency, while the second brings your organization in line with the federal government’s emphasis on identity verification, the first pillar of a Zero Trust architecture.
To get started, sign up for a free, no-obligation LastPass Business trial today.
