The Importance of Having a NIST 800-171 Compliance Checklist


The Importance of Having a NIST 800-171 Compliance Checklist


Jan. 20th, 2019

Why a Checklist Helps Solve NIST 800-171

The requirements that are imposed by NIST 800-171 are extensive and leave little room for error on the part of the government contractor. One mistake is all that it takes to leave controlled unclassified information vulnerable when it resides on a contractor’s system. Possible consequences for non-compliance include the potential loss of all government contracts and debarment as a government contractor. Given the possible repercussions, compliance with these requirements becomes an existential issue for businesses.


Knowing how high the stakes are, contractors must consider the best way to comply with these rules. Without the proper planning and foresight, critical aspects of compliance may be missed. Since compliance is a process that proceeds in multiple steps, it may sense to plan out the steps before they occur and monitor them as they are being executed.

Don’t Miss a Step

When going through a large systemic change such as NIST 800 171 compliance, it is easy to miss a step or even a small detail. Since everything flows together, even the smallest of details can trip up the unsuspecting contractor. The rule requires 110 different areas of compliance across 14 different categories, so there is plenty to track.

With that in mind, contractors should consider drawing up a NIST 800 171 compliance checklist. This will keep the business organized and ensure that they do not lose sight of any critical steps when it comes to meeting the obligations of these rules. This checklist should break compliance steps into every piece of action that must be taken and should be composed ahead of time and updated as things change.

Prepare Beforehand

Before a contractor even draws up a compliance checklist, they should scrutinize each of their contracts to understand what the cybersecurity requirements are. There could be additional requirements beyond those which are required by NIST 800-171. These would be contained in various contract clauses that are included in each contract. Contracts with the Department of Defense will include the DFARS clause that makes NIST compliance mandatory. Contracts with non-DOD agencies may have other requirements.

A sound NIST 800 171 compliance checklist will involve the identification of all relevant areas. Each specific area will be categorized and assigned a baseline control. Each baseline control should be tested. In addition, the checklist should state how each area will be continuously tested. Further, the compliance checklist will set forth the meaning of each requirement next to the requirement so everyone is clear on what the requirement actually means.

Be Organized

Organization and preparation are the keys when compiling a NIST 800 171 compliance checklist. If everything is coherently enumerated ahead of time, compliance with the cybersecurity rules will be a matter of executing a previously planned set of events. It is the foresight and the planning that will make this a smoother process. Contractors are already intimidated enough by these extensive new mandates and any hint of disorganization will only make a difficult process worse. Compliance solutions from a NIST 800 171 expert can help your business better devise a checklist that will make following these new rules easier.