National Cyber Strategy and the DFARS Mandate


National Cyber Strategy and the DFARS Mandate


Dec. 9th, 2018

Recently, the United States Government has indicated that it will step up its efforts to address cyber threats both domestically and internationally. Both the White House and the Department of Defense have released updates of their cyber strategies that detail the fundamental pillars of an effective cyber defense. In this environment, DFARS compliance is now more important than ever for contractors.

While many of these strategies focus on how the United States will operate in the international arena against hostile state actors, there is also a notable focus on defending domestic networks from cyber threats that could compromise them. Each one of the plans includes the protection of the homeland as a pillar.

Presidential Seal

Presidential National Cyber Strategy

In the White House plan, there are several elements to the protection of our domestic system. The first element is the one that relates closest to NIST 800-171. This element of the pillar calls for securing federal networks and information. The report recognizes the criticality of protecting information that is housed on contractor information systems. The White House Report foreshadows that there will be a unified standard across all of the federal government that will be used in all acquisitions that measure contractors’ information systems.

The White House is particularly concerned about information that belongs to the DOD. The report cites the end result of NIST 800-171 when it says the federal government will be able to assess its data’s security by reviewing the contractor information system. This demonstrates the federal intent to make this an area of focus going forward.

Department of Defense National Cyber Strategy

Similarly, in the DOD report, there is also a heightened focus placed on securing DOD information that is housed on non-DOD systems. The DOD seeks to secure its own networks against malicious cyber attacks. Given the new requirements that contractors face, contractors should take the DOD’s cyber priorities seriously when it says it is seeking to protect its own information no matter where it is housed. The DOD has its own investigative arm, the Defense Contract Audit Agency, that can unleash to perform audits on contractors’ information systems. Thus, you can rest assure that the DOD actually will make this a firm priority in the future.

Contractors will need to ensure that they maintain compliance with the new NIST standard on from now on. If they fail to maintain their DFARS compliance, contractors can lose not only the contracts they have with the United States Government, but they can also be suspended or debarred as government contractors. This is not a position in which anyone who wants to do business with the federal government would want to find themselves.

In order to comply with the NIST standards that are aimed at protecting controlled unclassified information, there are a few different compliance options a contractor can use. One of the most cost-effective options involves a NIST 800-171 template. This template will provide your business with the outline of a compliance solution so your business will not be on its own in this vital compliance area. At the same time, this option will be considerably cheaper than hiring a consultant to assist you with compliance.

The Honeymoon is Over, Audits are Coming!


The Honeymoon is Over, Audits are Coming!


Nov. 20th, 2018

The Defense Contract Management Agency is an agency that can often strike fear in government contractors. DCMA conducts audits of government contractors to make sure they are complying with laws and regulations. As of recently, it appears that the DCMA is set to turn its auditing focus toward compliance with NIST 800-171.

NIST 800-171 sets forth steps that contractors must take in order to secure their information systems that house nonclassified sensitive information. Compliance with these standards becomes a legal part of every contract with the Department of Defense considering the NIST standards are incorporated into every contract through the DFARS. If contractors do not maintain their DFARS compliance, they cannot do business with the federal government.

Nist 800 171 Audit

The NIST standards were scheduled to become effective on December 31, 2017. Government officials were adamant that the deadline was firm and contractors would have to immediately be in compliance with the standards; however, prior to that deadline, the government clarified that the deadline only applied to the requirements for a System Security Plan and a Plan of Action. After the December 2017 effective date, there was an update to the standards that clarified a few specific areas. While the update indicated a more relaxed approach to how the DOD would interpret the standards, it also brought the date closer to when these standards would be enforced. DOD is making it increasingly clear that they intend to conduct audits in the near future in this area.

A DCMA audit is a scary experience for many defense contractors. Businesses never quite know when an audit is coming and the DCMA can be relentless. Regardless, a DCMA audit does not have to be a traumatic event for a business. Contractors can start preparing the day they receive the notice that they will be audited.

There are several steps that contractors can take to anticipate and prepare for a potential audit. The good news is that contractors do not need to go at it alone, and can receive help in their DFARS compliance efforts. Matters that address information security can be complicated and time-consuming; however, by hiring the right service provider, a contractor can relieve some of that burden and free themselves up to focus solely on their important business issues.

ComplyUp offers a solution to help government contractors comply with their standards. The company has a compliance solution that can take some of the fear and mystery out of such a sensitive area. Their solution offers contractors a step-by-step method to help them properly follow the standards. By using ComplyUp, contractors will know exactly what is expected of them and can take the necessary steps to avoid any issues if DCMA shows up at their door. ComplyUp’s products rely upon technology in a way that takes some of the uncertainty away and makes it easier to deal with compliance.

When it comes to these NIST standards, you do not need to fear an audit if you have taken the right preparations in advance. Because of the stakes that are at play, it is vital that businesses take the right steps and secure assistance if they need it. When it comes to the existence of a business, it is always better safe than sorry.

Changes are Coming to NIST 800-171


Changes are Coming to NIST 800-171


Nov. 9th, 2018

Recently released standards that govern the process of securing unclassified controlled information have been scheduled in late 2018 to undergo a revision before being finalized early on in 2019. These new processes will build off of the requirements contained in the initial NIST 800171 that was released two years ago.

NIST 800171 generally requires certain measures to be taken when nonclassified information is located on nonfederal servers. It is aimed at ensuring that sensitive information is protected and secured when the information resides outside of the federal government.

Changes to NIST 800-171

While this NIST standard is aimed at protecting information, it ultimately becomes a matter all contractors must come to know in order to stay in business. These standards are incorporated into all contracts with the Department of Defense through a certain contractual clause.

DOD contracts are governed by several sets of federal regulations. In order to keep their contracts with the United States Government, contractors must comply with these regulations. If contractors do not comply with the regulations, they will either not be selected for contracts at all, or could lose the contracts they have through a process called termination for default. If you are a contractor, a termination for default is a terrible thing for your business to go through.

One of the sets of regulations that govern DOD contracts is called the DFARS. These regulations are DOD-specific and contain requirements that are in addition to the Federal Acquisition Regulations. The DFARS has incorporated NIST 800171 into every single DOD contract. In other words, if you are a contractor and want to receive a DOD contract, you must attest that you have complied with these standards before you can be awarded the contract. This requirement is not only found in over a million federal contracts, but it must be included in every single subcontract as well.

Contractors need to be aware that their original certification and efforts at compliance are not enough to stay in good standing with the DOD. These standards are continuously revised in order to cover new threats and make the protections broader than they currently are. When a contractor certifies that they are complying with the standard, that certification includes the revisions, not just the original standard. In other words, if you do business with the federal government, you are obligated to keep track of each revision and continuously incorporate these revisions into your security measures if you want to continue doing business with the federal government.

By the end of this year, NIST will be releasing a draft of changes to the existing guidance. The public will have a chance to submit their comments on the proposed guidance before it becomes final next spring. These changes will propose additional new levels of protection that contractors will need to learn.

These new measures will be optional in some instances; however, agencies can also make them mandatory if they choose. For that reason, those that do business with the government need to familiarize themselves with this new update so they are not caught off guard in the future. The update deals with the area of “advanced persistent threats.” These threats are faced when handling “critical defense and infrastructure information.” The update will address how contractors can add a new layer of security to counteract these threats.

Understanding Nist SP 800-171


Understanding NIST SP 800-171


Oct. 20th, 2018

If you are a defense contractor, you have heard of NIST 800171, and have likely been stressed out at some point trying to figure out the best way to comply with the set standards. If you do business with the Department of Defense, you have already been required to certify that you are compliant with their standards. If you do business with the rest of the federal government or want to at all in the future, it is vital to know more about these standards and how to ensure compliance.

Understanding NIST SP 800171

Why NIST 800171 Matters 
The DOD makes these standards a requirement. When you submit an offer to the DOD for its acceptance, you have certified that you are complying with the standards. By early 2019, these standards will not just be incorporated into DOD contracts but will apply across the entire federal government too. And they do not just apply to prime contractors, but to be “flowed down” to the subcontractors as well. In other words, if you have any subcontract in place, DFARS requires that compliance with these standards must be a part of the subcontract as well. If you do business with the federal government, you must take the steps required by these standards.

What NIST 800171 Does 
The government recognized in the cybersecurity environment that sensitive information was at risk and therefore imposed uniform standards for contractors to apply if they came into possession of any of this information.  The standards are an entire set of operating principles and procedures that contractors must have. If you have certain sensitive information on your servers, even if it is not classified, the standards generally state certain security requirements for you to follow in order to protect this information. They will generally aim to get contractors to apply the same measures that the government would if this information was housed on a federal server.

What if Contractors Do Not Comply? 
Failure to comply would have numerous impacts on your business. Right now, contractors are required to self-certify that they have complied with these standards in order to be eligible to receive a contract. From the government’s standpoint, it makes sense to ensure that contractors that may have sensitive information on their servers can actually protect that information. When you certify that you have complied and do not actually comply, you can get in some serious trouble. You can lose your contracts with the government through termination. The government can suspend or debar you, which will prevent you from getting future contracts. You can also be subject to lawsuits under the False Claims Act since certification would have been part of your proposal to win the contract.

If the DOD Inspector General shows up on your doorstep to audit your business, it is a serious matter. The DOD intends to audit contractors to make sure they are complying with these standards. Eventually, the responsibility to ensure that contractors are complying with these standards will rest with one governmental entity, which will likely lead to increased audits.

The Importance 
Given the media attention and the negative effects of the many data breaches this past decade, there is likely to be significant attention paid to these standards. Government budgets for cybersecurity have expanded, so it is logical for the federal government to be vigilant and stringent when sensitive information is housed on its contractors’ servers.

If you’re not compliant, try our platform for free to get started.

Ohio Data Protection Act


Ohio Data Protection Act


Oct. 12th, 2018

Understanding NIST SP 800171

On Sept. 21st, 2018, Ohio Governor John Kasich signed off on “Senate Bill 220” which has been aptly nick-named the Ohio Data Protection Act. Nationally, this is the first bill of its kind to motivate certain businesses to implement a number of specific cyber-security controls by rewarding them with a legal and affirmative defense.

Affirmative Defense, in this case, is a group of facts other than those alleged by the plaintiff or prosecutor that are used to protect business owners should the business be sued due to a cyber infiltration. If the defendant is able to prove that they fall under compliance of these facts, they overcome or mitigate the legal consequences of their otherwise lawful conduct.

Understanding NIST SP 800171

Eligible businesses can rely on their congruency to specific frameworks of cyber security as an Affirmative Defense against tort claims in data breach litigation. As such, the state of Ohio is granting legal incentive to said businesses to comply with these cyber security programs.

Organizations that want to take advantage of this incentive must implement a documented cyber security program that was made to protect the security and confidentiality of a small to large company’s environment/environments. To ensure the company has been granted an Affirmative Defense, it must be able to prove that they “Reasonably Conform” to one of the options for cyber security programs.

Listed are the options for which cyber security frameworks are accepted. Businesses must implement at least one and reasonably conform.

  • National Institute of Standards and Technology’s (NIST) Cybersecurity Framework
  • NIST special publication 800-171, or 800-53 and 800-53a
  • Federal Risk and Authorization Management Program’s Security Assessment Framework
  • Center for Internet Security’s Critical Security Controls for Effective Cyber Defense
  • International Organization for Standardization (ISO)/International Electrotechnical Commission’s (IEC) 27000 Family – Information Security Management Systems Standards.

Understanding NIST SP 800171

Understanding DFARS Compliance


Understanding DFARS Compliance


Oct. 9th, 2018

Contractors that hold contracts with the Department of Defense must be compliant with any Defense Federal Acquisition Regulation Supplement (DFARS) clauses specified in their contracts. DFARS is a set of acquisition regulations that govern the way the Federal Government acquires goods and services. Failure to follow some clauses of the DFARS may lead to early termination of the contract, making DFARS compliance an existential issue for contractors. In a worst-case scenario, failure to comply with contractual DFARS clauses could lead to a contractor losing all of their work with the DOD. One pertinent regulation with which contractors must be familiar is the DFARS clause defining cybersecurity standards. This clause requires contractors to implement the requirements identified in the National Institute of Science and Technology (NIST) Special Publication 800-171. This particular standard addresses the storage and transmission of Controlled Unclassified Information (CUI).

DFARS Compliance

Oftentimes, in the course of their performance of a government contract, contractors come into possession of CUI. The definition of CUI is non-classified information for which government regulation requires safeguarding or disseminating controls. While unclassified, protection of this information is still in the national interest. This could involve private information, the disclosure of which would damage the person or entity who owns that information. In the past, this information was given the designation of “Sensitive but Unclassified.”

Although the worst-case scenario involves loss of contracts, it is ultimately the Contracting Officer’s responsibility to determine what action to take for noncompliance. For contracts involving CUI, attestation of compliance is a prerequisite for submitting bids for future DOD contracts. Small contractors who act as subcontractors to prime contractors can expect their primes to be vigilant about ensuring their compliance, as contractual clauses typically flow down to subcontractors.

For smaller contractors, the issue has become how to best find a compliance strategy for these rules. Compliance will usually revolve around having sound controls and a reporting mechanism. The rule first requires that contractors have adequate security on covered information systems. The DFARS cyber clause is also focused on prompt reporting of cybersecurity incidents. The regulation states that if a cybersecurity incident occurs, the contractor must provide the DOD with an incident report, the malicious software and access to the contractors’ information systems upon request. The good news for contractors is that the rules state that the occurrence of an incident is not an automatic implication that the contractor failed to protect CUI. However, contractors should be prepared for enhanced scrutiny by the government of their systems in the event of a cyber incident.

In such a case, contractors should be prepared to disclose what actions they took to comply with the DFARS cyber clause. This may include submitting evidence of implementation of each requirement in the contractors System Security Plan.  Contractors will have to recognize that they are partners with the government in safeguarding this information.

For contractors, the question they will ask first is what constitutes adequate security when it comes to DFARS compliance. This is addressed by the aforementioned NIST SP 800-171 standard. The standard has 110 security requirements that can fall into one of fourteen categories. At a minimum, contractors must describe how they have implemented, or plan to implement, the safeguards described in the special publication. These rules apply in all cases when CUI resides on a contractor network, whether that environment constitutes on-premise servers, an internal cloud as a component of an internal enterprise network system, smartphones or tablets, or any other data processing system.

The 3 Steps to NIST 800-171 Compliance


The 3 Steps to NIST 800-171 Compliance


Feb. 20th, 2017

At this point, I’ll assume you’ve heard about NIST 800-171. You’re aware that it impacts your organization, and you know you have to figure it out before December 31st.

But where should you start?

3 Steps to NIST 800-171 Compliance

It may seem daunting, but NIST 800-171 compliance can be broken down into three primary activities:

  1. Assessing your environment
  2. Addressing deficiencies
  3. Documenting your results

That’s basically it.

Step 1: Assessing Your Environment

First off, you need to determine which environment (or environments) are subject to NIST 800-171 compliance. Ask this question:

Does this environment process, store or transmit any Controlled Unclassified Information?

If the answer is yes, it needs to be assessed.

What exactly should you assess?

Go through the Controls (Section 3) of NIST 800-171. For each control, determine if this environment contains safeguards that satisfy the requirements.

Step 2: Addressing Deficiencies

Following your assessment, you should have a solid understanding of which controls are satisfied and which are not.

It’s time to figure out how to address the issues for each control that is not satisfied. It may be as simple as creating a policy or as complex as redesigning your network. Either way, you need to have a plan.

Step 3: Documenting Your Results

You’ve probably been documenting your activity throughout the assessment and remediation steps. At this point, it’s time to put it all together in a format that is acceptable to the Government. They’re quite particular about the way things need to be presented.

3 steps to nist 800-171 compliance

The 2 documents you need to produce

Your results should be cataloged in two specific documents:

  1. System Security Plan
  2. Plans of Action

These documents correspond to the first two steps discussed previously.

System Security Plan

The best approach for creating the System Security Plan is to create sections based on the information required in NIST 800-171.

System Security Plan Outline:

  1. Executive Summary
  2. System Boundary
  3. Operational Environment
  4. Security Requirements Implementation
    1. Controls 1 – 110
      1. Implementation Description
      2. Evidence Description (evidence, e.g. screenshots/documents, should be collected and saved but not necessarily included in the SSP)
  5. Environment Interconnection with Other Systems

Plans of Action

The government is expecting you to have some issues. You’re going to raise some eyebrows if you claim to be 100% compliant.

Plans of Action Outline:

  1. Executive Summary
  2. Unimplemented Security Requirements
    1. Specific Controls with Issues
      1. Non-compliance Details
      2. Remediation Plan

Documentation is Key

You know how the government operates… if you deviate even slightly from their requirements you’re going to end up going back to fix things. Make sure you provide solid detail for each control and capture some sort of evidence to back it up. ComplyUp offers a comprehensive NIST 800-171 Self-Assessment Platform, complete with easy to understand explanations of each control.

Will a “We Don’t Have CUI” Argument Work?


Will a “We Don’t Have CUI” Argument Work?


Feb. 6th, 2017

What if we don’t have CUI?

As the government prepares to enforce the NIST 800-171 compliance requirement, you may find yourself thinking one of these thoughts:

  • Can we avoid the NIST 800-171 compliance process altogether if we don’t have CUI?
  • We don’t process federal data on our systems, so we don’t need to worry about NIST 800-171.
  • We don’t have a contract with the CUI clause currently, so NIST 800-171 doesn’t apply to us.
  • The government gave us laptops for use on this contract, so we’re likely exempt from NIST 800-171.

Are you sure you don't have cui for Nist 800-171

Let’s start with a CUI Overview

NIST 800-171 describes the safeguards that contractors must implement to protect CUI. CUI is “Controlled Unclassified Information”.  Executive Order 13556 established an “open and uniform program for managing” CUI, and named the National Archives and Records Administration as the “Executive Agent to implement this order”. NARA did its part by cataloging the various types of CUI. NARA organizes CUI into several categories:

  1. Agriculture
  2. Controlled Technical Information
  3. Critical Infrastructure
  4. Emergency Management
  5. Export Control
  6. Financial
  7. Geodetic Product Information
  8. Immigration
  9. Information Systems Vulnerability Information
  10. Intelligence
  11. International Agreements
  12. Law Enforcement
  13. Legal
  14. North Atlantic Treaty Organization (NATO)
  15. Nuclear
  16. Patent
  17. Privacy
  18. Procurement and Acquisition
  19. Proprietary Business Information
  20. SAFETY Act Information
  21. Statistical
  22. Tax
  23. Transportation

Many of these categories have sub-categories. NARA specifically describes what types of information falls within CUI scope based on each category.

Now, back to the question at hand. What if we don’t have CUI based on the NARA definition?

Are you sure you don’t have CUI?

Ok, you may not have access to nuclear data, but what about technical information provided by the government for use on your contract? How about privacy info? This is the type of data that may end up on your systems inadvertently. Have you ever used technical data to demonstrate your understanding of the customer’s needs in a proposal? Have you stored deliverables on your laptop for retention after a contract ends?

Additional CUI Types

NARA reminds us that individual agencies still have some say in how CUI is defined. The top of their site includes the following statement:


Existing agency policy for all sensitive unclassified information remains in effect until your agency implements the CUI program. Direct any questions to your agency’s CUI program office.

This means you need to be aware of any deviations to the standard CUI definitions by your target agency. For example, consider the new rules proposed by DHS on January 20th:

DHS’s proposed rule broadly defines “CUI” as “any information the Government creates or possesses, or an entity creates or possesses for or on behalf of the Government (other than classified information) that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls[,]” including any “such information which, if lost, misused, disclosed, or, without authorization is accessed, or modified, could adversely affect the national or homeland security interest, the conduct of Federal programs, or the privacy of individuals.”

This is a big one. They’re basically saying “everything is CUI”. Let your subcontractors know too, since this applies to them as well.

How do you know you won’t be asked to handle CUI?

Think about it from the government’s perspective: Let’s say you’re an agency that puts an RFP out with the “Safeguarding Covered Information” clause. You get 7 proposals that are all similar in technical approach and pricing. Six of the proposals have the following verbiage: “We are compliant with NIST 800-171 and have procedures in place to protect CUI”. The seventh proposal contains the following statement: “We do not process any CUI and have not undergone a NIST 800-171 assessment”.

Which bid do you think will get thrown out?

Prepare to handle CUI

Regardless of whether you currently process CUI or not, it makes sense to have a CUI safeguarding capability. Your competitors surely do.

ComplyUp offers a comprehensive NIST 800-171 Self-Assessment Platform, complete with easy to understand explanations of each control.

Are there any NIST 800-171 Outsourcing Options


Are there any NIST 800-171 Outsourcing Options?


Feb. 1st, 2017

What are my NIST 800-171 Outsourcing Options?

NIST 800-171 compliance is still a relatively new topic. Contractors are hustling to learn all they can about these cyber security requirements before the December deadline. Inevitably, folks start to ask if there are any NIST 800-171 outsourcing options.

What aspect of NIST 800-171 are you trying to outsource?

You’re probably looking to outsource one of two things: either a NIST 800-171 assessment or one of the NIST 800-171 requirements. We’ll talk about NIST 800-171 outsourcing for assessments in a future post. This article will focus on offloading some of the requirements to third-parties.

NIST 800-171 Outsourcing Options

What does the NIST 800-171 SP say about outsourcing?

This is really the only thing that matters. DFARS 252.204-7012 says we have to comply with NIST 800-171, and NIST 800-171 has specific verbiage that deals with outsourcing requirements.

          NIST 800-171 – Section 2.1 Basic Assumptions

Additional assumptions also impacting the development of the CUI security requirements and the expectation of federal agencies in working with nonfederal entities include: […] Nonfederal organizations can implement a variety of potential security solutions either directly or through the use of managed services, to satisfy CUI security requirements;

This single statement suggests that it’s totally acceptable to leverage third-party vendors to meet the compliance requirements. This is great news if you’re not quite compliant with one or more of the controls.

Outsourcing Examples

What are some examples of controls you can outsource? Many of the requirements “feel” like something you can pay someone to do.

  • 3.1.14 Route remote access via managed access control points. google: managed vpn services
  • 3.2.3 Provide security awareness training on recognizing and reporting potential indicators of insider threat. google: security awareness training services
  • 3.6.1 Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities. google: incident handling services

The list goes on… If you find a deficiency within your organization, consider the costs of implementing an in-house solution vs. an outsourced service. You may find it’s quicker to pay someone to solve the problem for you. ComplyUp offers a comprehensive NIST 800-171 Self-Assessment Platform, complete with easy to understand explanations of each control.

Trump Reiterates Commitment to DoD Cyber Security


Trump Reiterates Commitment to DoD Cyber Security


Jan. 31st, 2017

DoD NIST 800-171 Compliance Cyber Security

President Trump will hold Cabinet Secretaries and Agency Heads Responsible for Nation’s Cyber Security

President Trump today announced in no uncertain terms that he will hold federal agencies responsible for their own cyber security posture. In a meeting with cyber experts, Trump expressed his commitment to secure the nation’s infrastructure.

“Today I’m convening this meeting to follow through on my promise to secure crucial infrastructure, and the networks that we’ve been talking so much about over the last period of time of the federal government against cyber threats. I will hold my cabinet secretaries and agency heads accountable, totally accountable, for the cybersecurity of their organization, of which we probably don’t have as much, certainly not as much as we should. We must defend and protect federal networks and data. We operate these networks on behalf of the American people, and they are very important and very sacred. We will empower these agencies to modernize their IT systems for better security and other reasons. We will protect our critical infrastructure such as power plants and electrical grids. The electrical grid problem is a problem, but we’ll have it solved relatively soon. We must work with private sector, the private sector is way ahead of government, in this case, to ensure that owners and operators of critical infrastructure have the support they need from the federal government to defend against cyber threats.”

DoD Cyber Security Commitment

Specifically highlighting DoD cybersecurity, Trump stated:

“We’re going to make sure that cybersecurity is central to both our military and the ships, planes, and tanks built by great Americans for our great American military, and our military will become stronger and stronger as we go along.”

What does this mean for government contractors?

Trump’s commitment to IT modernization, specifically cyber security enhancements, will undoubtedly translate into opportunities for contractors. Agencies that have been hesitant to spend large sums on cyber enhancements may now have the motivation they need to pony up the cyber defense dollars. It stands to reason that those at the top will be motivated to spend more to keep themselves away from potential Presidential fury.

Contractors that want to position themselves to take advantage of these opportunities should start by ensuring they won’t be disqualified from Dept. of Defense contracts. Starting December 31, 2017, the DoD will require all contractors to be compliant with NIST 800-171. The list of 110 NIST 800-171 requirements focus on confidentiality of Controlled Unclassified Information (CUI).

Complyup offers a comprehensive NIST 800-171 Self-Assessment Platform, complete with easy to understand explanations of each control.