Big changes are coming around NIST 800-171 requirements for government contractors. Be prepared!

nist 800-171

NIST 800-171

Many external vendors today work with the federal government to help carry out a wide range of business functions. Because of all the sensitive information transferred from the government to these vendors, the government is cracking down on the compliance and security regulations for these vendors – and any companies that work with those vendors or service providers.

Since these services provided by outside vendors and contracts are essential to the federal government, we have provided a list of 3 requirements necessary for any and all government-related contractor and the importance of understanding the specifications of NIST 800-171.

Additionally, federal information is frequently provided to or shared with entities such as State and local governments, colleges and universities, and independent research organizations. The protection of sensitive federal information while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations, including those missions and functions related to the critical infrastructure.


#1 Your Federal Funding Is at Risk If You Are Not Compliant!

Originally, this was the rule for any Department of Defense contractor that stored or transmitted Controlled Unclassified Information (CUI). Known as DFARS Compliance, this regulation went into effect at the end of 2017.

Today, this is being extended to any vendor, service provider, or contractor that is contracted by any entity that work with the federal government.

Here’s the original DFARS wording:

All Department of Defense (DoD) contractors that process, store or transmit Controlled Unclassified Information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards by December 31, 2017 or risk losing their DoD contracts.

DFARS Safeguarding rules and clauses, for the basic safeguarding of contractor information systems that process, store or transmit Federal contract information. DFARS provides a set of “basic” security controls for contractor information systems upon which this information resides. These security controls must be implemented at both the contractor and subcontractor levels based on the information security guidance in NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations.” The DFARS cybersecurity rule and clauses and be found at


#2 NIST 800-171 is for ALL Government Contractors – not just those with a DoD contract

If you work with a large government contractor, you may have heard some buzz that all contractors must comply with the NIST framework, specifically NIST 800-171. And not only the contractors but any vendors or service providers that are outsourced by those contractors must also comply as well.

If your organization falls in this category, it’s important to understand what is involved in the specifications of NIST 800-171.

Start with a security assessment to help understand your current state of security. Be sure to work with a company like Cybriant that understands the NIST framework, especially the specifications around NIST 800-171 regulations and can bring you to a state of compliance, so you aren’t at risk of losing business.

Your organization may need to upgrade security policy and procedures as well as ensure your network, email, endpoints, etc. are secure according to the specifications of NIST 800-171.

#3 An Outside Organization Is Your Best Resource

There are more than 100 security requirements in NIST 800-171. While it may seem an easy task to undertake, think about the consequences of not getting it right. Your team needs to understand the language that will be used by federal auditors like controlled information, controlled technical information, controlled unclassified information, etc.

An outside organization will not only help translate any government lingo that your team may not be used to, but they will also help put in real-world terms the tasks that are required to be completed.

Work with an organization like Cybriant to take a high-level look of your organization through a security assessment, and then use our services, technology, and experts to give you granular detail on the steps to become compliant.

If your organization wants to continue receiving grants from the federal government or continue to win government contracts, then it’s important to become compliant with NIST framework early and understand the specifications of NIST 800-171.

Start With an Assessment