NIST SP 800-171 (DFARS)

National Institution of Standards and Technology (NIST) Special Publication 800-171 r1, entitled Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, provides a guideline for protecting the confidentiality of data.

The Department of Defense (DoD) issued a final rule on November 18, 2013, to amend the Defense Federal Acquisition Regulation Supplement (DFARS) with the addition of Subpart 204.732, Safeguarding Controlled Unclassified Information (CUI), and an associated contract clause, DFARS 252.204-7012. The rule applies to all new DoD solicitations, contracts, and newly modified existing contracts which involve CUI resident on, or transiting through, contractor unclassified information systems. The rule affects all DoD contractors and subcontractors, including vendors of commercial goods, as well as DoD personnel carrying out activities involved with the Federal Acquisition Regulation (FAR) system. The primary objectives of the rule are to 1) strengthen DoD’s data security requirements for controls that govern access to CUI on DoD contractor information systems, and 2) impose new reporting and damage assessment requirements in the event of cyber incidents which involve possible unauthorized access, disclosure, manipulation, or any loss or compromise of CUI on contractor systems. CUI is information which is not classified under Executive Order 13526 or the Atomic Energy Act, but still requires safeguarding and controls due to its potential to threaten national security, adversely affect government function, and/or negatively impact the public were the information to be made available to the wrong parties.

For DoD contractors, both domestic and abroad, the new DFARS requirements may pose significant challenges, especially for smaller organizations that lack the resources to comply with the requirements in a sustainable and cost-effective manner. Our DFARS assessments evaluate and document your organization’s adherence to security requirements recommended by NIST SP 800-171, Revision 1 and mandated by the DFARS 252.204-7012 rule. Our report provides a brief background of DFARS, outlines key requirements for safeguarding CUI, describes the methodology used to perform an independent assessment, identifies findings, and provides high-level industry best practice recommendations to aid your organization in achieving compliance.

IT Risk Pros offers has years of experience assisting government contractors of all sizes to secure their information infrastructure using NIST standards. From risk and gap analysis, to developing a roadmap to compliance and even providing implementation assistance, our IT Risk Pros will lead you throughout the entire cybersecurity lifecycle.

Call IT Risk Pros today at 888.811.RISK (7475), or email us at to discuss your NIST SP 800-171 (DFARS) compliance needs with an experienced auditor and consultant.