For organizations that want to do business with the U.S. Department of Defense (DoD), understanding NIST SP 800-171—often simply called NIST 800-171—is crucial. Here’s what you need to know:
- NIST 800-171 establishes baseline security requirements for private companies to protect certain types of classified government information.
- While NIST 800-171 and CMMC aren’t the same thing, they’re closely related.
- NIST 800-171 includes 110 controls that are required for organizations seeking CMMC Level 2 and Level 3 certification.
Let’s take a deeper dive into this essential cybersecurity standard.
What is NIST 800-171?
NIST 800-171 is a security standard created by the federal government that outlines requirements for protecting the confidentiality of controlled unclassified information, also called CUI. CUI includes sensitive but unclassified government information, such as technical schematics, research data, and procedural documents. While not technically classified as “secret” or “top-secret,” CUI still presents a national security risk if exposed.
Compliance with NIST 800-171 is mandatory for contractors doing business with the DoD and other select government agencies. When you pursue CMMC Level 2 certification, your certified third-party assessment organization (C3PAO) will examine whether you have systems and processes in place to satisfy the controls included in NIST 800-171.
Are NIST 800-171 and CMMC the Same Thing?
No. While the two are related, NIST 800-171 and CMMC are not the same. NIST 800-171 is a voluntary framework outlining cybersecurity best practices for protecting CUI.
CMMC is a certification that was developed to ensure all DoD contractors follow cybersecurity best practices based on the level of risk their work involves. It uses NIST 800-171 as a baseline, building the best practices and additional requirements into a tiered maturity model. Organizations pursuing CMMC Level 2 and higher must be compliant with all 110 controls included in NIST 800-171.
What Does NIST 800-171 Cover?
NIST 800-171 includes controls related to access control, incident response, physical protection, security awareness and training, configuration management, and more. These controls are grounded in guidance from NIST 800-53, but are adapted to apply specifically to securing CUI.
What’s the Difference Between NIST 800-171 and NIST 800-53?
NIST SP 800-53 is a comprehensive, highly prescriptive security and privacy standard that serves as the foundation for many federal compliance frameworks. It establishes a unified set of specific security and privacy controls designed to protect federal agencies and their contractors from threats such as cyberattacks, privacy breaches, and malicious activity.
NIST 800-171 builds off of NIST 800-53, but it is adapted to focus on the security and protection of CUI.
What is the Benefit of a NIST 800-53 Readiness Assessment?
For many organizations, undergoing a formal review to assess your readiness to comply with NIST 800-171 is a key step in preparing for a future audit or CMMC certification. A readiness assessment helps your team uncover gaps in your organization’s existing controls and identify areas for improvement. When you work with BARR Advisory to complete a NIST 800-171 readiness assessment, we also provide you with prioritized recommendations for remediation.
Taking a proactive approach that includes a comprehensive readiness assessment gives your organization the opportunity to strengthen its security posture before undergoing a formal review, reducing the likelihood of surprises during an audit.
How Can BARR Help?
Whether your organization is pursuing contracts with the DoD or simply seeking to align with security and privacy best practices, our team of experts will help guide you through the complexities of compliance with NIST 800-171. Our team members have more than a decade of experience with federal compliance standards and have helped dozens of organizations achieve compliance with frameworks like NIST 800-171, CMMC, and FedRAMP.