Is NIST 800-171 Subcontractor Compliance Required for DoD Contracts?


Is NIST 800-171 Subcontractor Compliance Required for DoD Contracts?


Jan. 23rd, 2017

Do Subcontractors Need to Comply with NIST 800-171?

The Department of Defense has made it clear that it expects contractors to keep Controlled Unclassified Information (CUI) safe in DFARS 252.204-7012. But what about NIST 800-171 Subcontractor requirements? Do subs need to be compliant as well?

The short answer here is: yes.

If you’re a sub, you need to be compliant with 800-171 if you’re going to be dealing with CUI. Here are a few things you should take care of:

NIST 800-171 Subcontractor Considerations

Get familiar with NIST 800-171

The NIST 800-171 DFARS clause calls you out, so you should take time to familiarize yourself with the requirements and controls. Take a look at this NIST 800-171 Quick Reference to see what type of cybersecurity requirements are involved.

Discuss your compliance plans with your prime

Your prime is going to be very interested in how you handle this. The government has put the responsibility of managing subcontractor compliance on the prime, and the last thing they want is a failed contract because of subcontractor non-compliance. Start the conversation. Let them know where you stand and how you intend to get compliant. You’ll stand out among your peers.

Determine which systems may contain or transmit CUI

Determining scope is an important part of this process. The idea here is to draw a clear line between your systems that will support the contract and possibly store or transmit CUI and those that won’t. The systems in scope will need to be assessed.

Undergo a NIST 800-171 Assessment

Take the plunge and do an assessment. You’ll be setting yourself up for success on your current contract, and you’ll be more attractive as a teaming partner for future work.

Plan to correct any deficiencies

If you find any issues, don’t sweep them under the rug. Make a plan to correct each deficiency (the government calls plans like these POA&Ms – Plan of Action & Milestones). Gather your assessment results and POA&Ms and head on over to your prime. Let them know you’re committed to fixing your issues, and you’ve identified a way forward for each problem.

You’ll be able to complete your NIST 800-171 Self-Assessment at Complyup.

NIST 800-171 Subcontractor

The DoD December 31 NIST 800-171 Compliance Deadline


The DoD December 31st NIST 800-171 Compliance Deadline


Jan. 19th, 2017

It’s coming… the DoD December 31, 2017 NIST 800-171 compliance deadline is less than a year away. While you’re busy ringing in the new year, your contracting business may instantly become disqualified from bidding on Department of Defense work. The government has given you until December 31, 2017 to prove that you have a mature cybersecurity program in place. If you don’t have your ducks in a row, your next proposal with get thrown out for being non-compliant. Simple as that. How can you avoid this?

NIST 800-171 Compliance

On December 31, 2017, all Department of Defense contractors need to be NIST 800-171 Compliant. This new policy comes from a DFARS clause (DFARS 252.204-7012) entitled ““Safeguarding Covered Defense Information and Cyber Incident Reporting”.

What Is NIST 800-171?

NIST 800-171 is a publication that describes 110 security requirements for protecting “Controlled Unclassified Information”. In this regard, CUI is essentially any unclassified technical information that has anything to do with the DoD (formal definition here). The government wants to be sure you can handle their information safely while working on contracts.

NIST 800-171 Security Requirement Families

The security controls are split up into 14 families.

  1. Access Control
  2. Awareness and Training
  3. Audit and Accountability
  4. Configuration Management
  5. Identification and Authentication
  6. Incident Response
  7. Maintenance
  8. Media Protection
  9. Personnel Security
  10. Physical Protection
  11. Risk Assessment
  12. Security Assessment
  13. System and Communications Protection
  14. System and Information Integrity

Start Planning Now

The time to figure out how you’re going to comply with NIST 800-171 is now, while you’ve still got some runway. Several agencies are already including the compliance clause in their RFPs, and the rest will follow soon. You should begin by determining what systems are covered. This is going to differ from contractor to contractor, and possibly from contract to contract. Once you’ve scoped it out, you need to take a hard look at the 110 requirements. Remember, the government is used to undergoing FISMA assessments. They have a certain way of meeting the 800-53 requirements. This generally entails significant documentation with an unbelievable level of detail. It wouldn’t be surprising if they expect contractors to put in the same level of effort. Put a plan in place, and get moving on this. Nothing would be worse than putting time and money in a proposal only to find out you’re disqualified for non-compliance.

NIST 800-171 Compliance Deadline

Am I on the hook for NIST 800-171 Compliance?


Am I on the hook for NIST 800-171 Compliance?


Jan. 9th, 2017

What’s behind all this NIST 800-171 compliance we keep hearing about?

Good question. The government is trying to get its cyber house in order. They’ve been good at implementing FISMA security controls for some time, but recently they’ve decided its time contractors take some responsibility too by implementing NIST  800-171 Compliance. Contractors with government data make excellent targets for attackers, as many of these contractors’ information security policies are not as robust as the FISMA requirements their customers adhere to. Enter NIST 800-171.

NIST 800-171 Compliance

Why another NIST publication?

SP 800-171 was created specifically to address confidentiality concerns for federal data that resides on nonfederal systems. This data is referred to as Controlled Unclassified Information (CUI). The publication outlines what steps should be taken by nonfederal entities (read: contractors) to secure this data.

NIST SP 800-171 – Abstract

The protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations. This publication provides federal agencies with recommended requirements for protecting the confidentiality of CUI: (i) when the CUI is resident in nonfederal information systems and organizations; (ii) when the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and (iii) where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry. The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organization.

So is NIST 800-171 the same as NIST 800-53?

Well, no. It’s like SP 800-53’s blue-collar cousin. Many of the requirements feel very similar to 800-53, but controls focusing exclusively on data integrity and availability are missing.  Gone are the familiar control family abbreviations (e.g. AC, CM), but in their place you’ll find Section 3.x (e.g. 3.1 – “Access Control”, 3.4 – “Configuration Management”). The publication contains a complete mapping of 800-171 controls to 800-53 controls, primarily to demonstrate where the controls came from. For example, control 3.4.3 (800-171, 3.4 “Configuration Management”, Control #3 – “Track, review, approve/disapprove, and audit changes to information systems.”) maps directly to CM-3 (800-53, Configuration Change Control).

Is compliance mandatory?

Depends, but yes. Contractors that work in the Department of Defense (DoD) in particular are expected to adhere. On August 26, 2015, the Defense Acquisition Regulations System amended the DFARS to expand the scope of 252.204-7012. They renamed it “Safeguarding Covered Defense Information and Cyber Incident Reporting” and added verbiage that in effect states that DoD contractors must adhere to SP 800-171.

DFARS 252.204-7012

(b) Adequate security. The Contractor shall provide adequate security on all covered contractor information systems. To provide adequate security, the Contractor shall implement, at a minimum, the following information security protections:

(2)(ii)(A) The Contractor shall implement NIST SP 800-171.

DFARS 252.204-7012

(b)(2)(ii)(A) The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017. For all contracts awarded prior to October 1, 2017, the Contractor shall notify the DoD Chief Information Officer (CIO), via email at, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award.

And just to make sure the word gets out, adherence to the 252.204-7012 was added in a DFARS clause as a notice to contract offerers. On December 30, 2015, after a chorus of contractors cried “not yet”, a new amendment was released delaying mandatory compliance to December 31, 2017. In the meantime though, upon award of a new contract, the contractor must notify the DoD CIO within 30 days of award of any non-compliance. The government basically said “Ok, you’ve got some time to get compliant, but we still want to know where your problems are in the meantime”.

DFARS 252.204-7008

(c)  For covered contractor information systems that are not part of an information technology service or system operated on behalf of the Government-

(1)  By submission of this offer, the Offeror represents that it will implement the security requirements specified by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.

Implement a compensating control and/or explain yourself.What if I know I won’t be 100% compliant?

DFARS 252.204-7008

(c)(2)(i)  If the Offeror proposes to vary from any of the security requirements specified by NIST SP 800-171 that are in effect at the time the solicitation is issued or as authorized by the Contracting Officer, the Offeror shall submit to the Contracting Officer, for consideration by the DoD Chief Information Officer (CIO), a written explanation of:

(A)  Why a particular security requirement is not applicable; or (B)  How an alternative but equally effective, security measure is used to compensate for the inability to satisfy a particular requirement and achieve equivalent protection.

We’re not in DoD. What about us?

You’re not off the hook, but you’ve got less paperwork to do (unless you want to get into DoD, in which case you should get compliant with 800-171). As of June 15, 2016, all federal contractors are expected to adhere to FAR 52.204-21 – “Basic Safeguarding of Covered Contractor Information Systems”. This clause hits the highlights of 800-171 without referencing it and without enumerating a series of specific controls. The requirements of this clause are high-level and intentionally vague.

FAR 52.204-21

(b)(1) The Contractor shall apply the following basic safeguarding requirements and procedures to protect covered contractor information systems. Requirements and procedures for basic safeguarding of covered contractor information systems shall include, at a minimum, the following security controls:

(i) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

(ii) Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

(iii) Verify and control/limit connections to and use of external information systems.

(iv) Control information posted or processed on publicly accessible information systems.

(v) Identify information system users, processes acting on behalf of users, or devices.

(vi) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

(vii) Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

(viii) Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

(ix) Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.

(x) Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

(xi) Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

(xii) Identify, report, and correct information and information system flaws in a timely manner.

(xiii) Provide protection from malicious code at appropriate locations within organizational information systems.

(xiv) Update malicious code protection mechanisms when new releases are available.

(xv) Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

We’re subcontractors on civilian contracts. Do we count?

Depends. Are you using your own gear on the contract, or do you use the prime’s? If it’s the former, you’re invited to the party.

FAR 52.204-21

(c) Subcontracts. The Contractor shall include the substance of this clause, including this paragraph (c), in subcontracts under this contract (including subcontracts for the acquisition of commercial items, other than commercially available off-the-shelf items), in which the subcontractor may have Federal contract information residing in or transiting through its information system.