NIST 800-171 Doesn't Have To Be Hard
If you are looking for NIST 800-171 compliant cybersecurity policies, standards, procedures, SSP and POA&M templates, then you have found the right place! That is what we do:
-
Affordable
-
Editable
-
Scalable
-
Professionally-written
NIST 800-171 Compliance
Whether you are a prime or subcontractor, NIST 800-171 compliance is a topic that you should take very seriously. What can possibly go wrong with non-compliance in a contract with the U.S. Government?
-
Contract Termination. It is reasonably-expected that the U.S. Government will terminate contracts with prime contractors over non-compliance with DFARS or FAR requirements, since it is a failure to uphold contract requirements. Subcontractor non-compliance may cause a prime contractor to be non-compliant. Both the prime and subcontractors face contract termination for non-compliance.
-
Criminal Fraud. Within scope of the False Claims Act, if a company states it is compliant when it knowingly is not compliant, that is misrepresentation of material facts. This is a criminal act that is defined as any act intended to deceive through a false representation of some fact, resulting in the legal detriment of the person who relies upon the false information.
-
Breach of Contract Lawsuits. Both prime contractors and subcontractors could be exposed legally. A tort is a civil breach committed against another in which the injured party can sue for damages. The likely scenario for a contract-related tort would be around negligence on behalf of the accused party by not maintaining a specific code of conduct (e.g., DFARS or FAR cybersecurity controls).
As you can see from those examples, the cost of non-compliance is quite significant. NIST 800-171 applies to both Department of Defense (DoD) contractors, as well as contractors to the US Federal government. Ensuring alignment with NIST 800-171 requirements does not have to be complicated, but it does need to be thorough, since not all cybersecurity frameworks will provide you with the appropriate coverage.

The bottom line is that utilizing the NIST Cybersecurity Framework or ISO 27001/27002 as a security framework does not directly meet the requirements of NIST 800-171. In fact, NIST 800-171 (Appendix D) maps out how the CUI security requirements of NIST 800-171 relate to NIST 800-53 and ISO 27001/27002 security controls. This includes callouts where the ISO 27001/27002 framework does not fully satisfy the requirements of NIST 800-171.
Essentially, this means that only the NIST 800-53 framework is going to meet DFARS requirements of NIST 800171 to protect both Controlled Unclassified Information (CUI), as well as Non-Federal Organization (NFO) controls. ISO 27002 and the NIST Cybersecurity Framework are going to be insufficient in coverage, so it is best to avoid those frameworks unless there is a clear business need that will require the addition of numerous controls to make up for their shortfalls.

Understanding NIST 800-171 Compliance
We put together a free guide to help identify what is in scope for NIST 800-171. Once you know what your CUI is, the next step is to scope your environment and this is a valuable guide for those efforts. Not sure what CUI is or if you have CUI on your network? Go to the US government's authoritative source on the matter, the US Archives CUI Registry at https://www.archives.gov/cui/registry.
When you look at NIST 800-171 compliance, it has some similarities to the Payment Card Industry Data Security Standard (PCI DSS). That may sound odd to you, but from the perspective of PCI DSS, if scoping is done poorly, a company's entire network may be in-scope as the Cardholder Data Environment (CDE), which means PCI DSS requirements would apply uniformly throughout the entire company. The same holds true for CUI environments. In these scenarios, PCI DSS compliance can be prohibitively expensive or even technically impossible. When the network is intelligently-designed with security in mind, the CDE can be a small fraction of the company's network, which makes compliance much more achievable and affordable.
When you have a firm handle on what CUI is in your environment, your next step is to identify what NIST 800-171 controls are applicable. This gap assessment will identify the controls you need to have policies, standards and procedures in place to provide evidence of both due care and due diligence.

NIST 800-171 Compliance Documentation
To quickly summarizes requirements to comply with NIST 800-171, you are expected to have several different types of documentation to prove that your cybersecurity program exists. The reality with compliance assessments is that if something is not documented, you cannot prove it exists. Given that reality, you need to ensure your company has the following cybersecurity documentation in place:
-
Cybersecurity policies, standards & procedures
-
System Security Plan (SSP) (requirement #3.12.4)
-
Plan of Action & Milestones (POA&M) (requirements #3.12.1, 3.12.2, 3.12.3 & 3.12.4)
The good news is ComplianceForge has this documentation - you can buy it online and have it in as little as the same business day!
NIST 800-171 "Easy Button"
The NIST 800-171 Compliance Program (NCP) is the most cost-effective and simple solution we offer. The NCP close as you can get to an "easy button" for NIST 800-171 compliance documentation, since it is entirely focused on NIST 800-171 and nothing more.
The NCP comes with all of the documentation that you need to comply with DFARS/NIST 800-171 cybersecurity requirements:
-
NIST 800-171 Cybersecurity Policies and Standards - policies and standards specific to NIST 800-171 that come in an editable Microsoft Word format.
-
NIST 800-171 Procedures - cybersecurity procedures that are directly linked to the policies and standards in an editable Microsoft Word format.
-
System Security Plan (SSP) Template - SSP template that is specific to documenting how your Controlled Unclassified Information (CUI) is stored, transmitted and processed.
-
Plan of Action & Milestones (POA&M) Template - POA&M template that allows you to easily track any control deficiencies.
Supplemental guidance documentation - in addition to an Incident Response Plan (IRP) and other useful templates, the NCP comes with a complete breakdown of all CUI and Non-Federal Organization (NFO) controls with guidance on what is expected to be in place from an auditor's perspective.
NIST 800-171 Consulting Services
If you are looking for an impartial, 3rd party assessment for NIST 800-171 compliance, these companies can perform that service for you. The deliverable third-party NIST 800-171 compliance report can be shared with prime contractors and other partners requiring independent NIST 800-171 assessments. You also receive a trustmark that you can use for advertising on your website and other marketing brochures to highlight your compliance with NIST 800-171.
Verutus
Verutus specializes in providing growing companies with cybersecurity expertise in Governance, Risk, Compliance and Privacy. You will be provided with straight answers to your questions, so that you can take action to protect your company, meet compliance requirements and win contracts!
SecurityWaypoint
SecurityWaypoint brings about simplicity and efficiency in implementing a cybersecurity program. Their experts can analyze your organization’s internal control system to make it efficient to manage and cover your compliance requirements.