The National Institute of Standards and Technology Special Publication 800-171 (NIST 800-171) sets cybersecurity standards for US government subcontractors. Any organization that processes or stores Controlled Unclassified Information (CUI) for government agencies must be compliant with NIST 800-171.

Compliance is achieved through a self-assessment process, with evidence collected in an overarching document. Organizations will test and record compliance with a range of requirements set out by NIST 800-171.

Compliance with NIST 800-171 will be a contractual obligation for a huge range of prime and subcontractors working with government agencies. It will also be a key requirement during the tendering process. Because of this, organizations must understand what evidence is required to achieve compliance.

This article explores NIST 800-171 and explains the key documentation required to evidence compliance.

Compliance with NIST 800-171

First, the basics. Any organization that deals with Controlled Unclassified Information as a government agency contractor will need to be compliant. Each government agency will have publicly listed the relevant categories of CUI, but this generally includes sensitive information that needs to be safeguarded.

This will be relevant to government contractors or service providers but could also apply to research institutions that receive federal funding. Examples of organizations include consultants, manufacturers, universities, and service providers within a government agency’s supply chain.

Organizations in the supply chain of state and federal agencies or branches of the government like the Department of Defense (DoD) will need to comply too. Compliance aims to make certain that information and data are safeguarded against cybersecurity threats. This is achieved by ensuring best-practice information security controls are in place.

Information processed or stored by organizations within the government agency supply chain will likely be sensitive. Controlled Unclassified Information can often be targeted by cyberattacks, and any cyber breach resulting from non-compliance could lead to fines or breach of contract.

Compliance with NIST 800-171 is usually a contractual obligation, and in effect strengthens the entire supply chain against cyber threats.

Evidence for self-assessment

There’s currently no NIST 800-171 certification. Instead, compliance with NIST 800-171 relies on self-assessment, though organizations can utilize a third-party assessment company. In both cases, there is a range of evidence that needs to be collected to determine and demonstrate this compliance.

As evidence of compliance with NIST 800-171 will typically be a contractual obligation, subcontractors will likely need to show evidence of compliance to prime contractors when beginning or renewing a contract. Likewise, prime contractors may need to show evidence of compliance to the government agency as part of the contract. 

The actual process of achieving and assessing compliance can take many months and collecting documentation and records is a vital step. Compliance means recording evidence of assessment against a range of security controls set out by NIST 800-171, see our guide for more information on staying compliant in 2021.

All areas of the network or organization that process or store relevant information will be audited as part of the compliance assessment. Assessment points include device and network setup, but also staff and employee training too.

Organizations will also need to compile evidence in overarching documents that prove compliance. The documents are the Plan of Action with Milestones (POAM) and a System Security Plan (SSP). These documents are reviewed to confirm compliance.

System Security Plan

The System Security Plan (SSP) is the core evidence of compliance with NIST 800-171. The document outlines the features of the organization’s system, covering devices, software, and hardware in the network. The SSP also summarizes security procedures and policies within the organization, identifying the training and policies which govern system administrators and users.

The SSP gives a comprehensive view of NIST 800-171 compliance, and in many cases will be reviewed during the tendering process for government agency contracts.

Plan of Action with Milestones

The Plan of Action with Milestone (POAM) is another overarching document provided as evidence of compliance. It will usually be combined within the same document as the SSP. The POAM is an outline of the actions an organization will take to resolve any vulnerabilities flagged by the NIST 800-171 assessment.

It’s a remedial plan which highlights how an organization will meet compliance requirements. For this reason, the document is situational and may not be included within every organization’s SSP documentation and evidence.

Streamline NIST 800-171 compliance with Titania Nipper

With 110 controls that need to be assessed to prove compliance, the process can seem complex and time-consuming. Yet Titania Nipper can help to streamline assessment and evidence gathering of system and network compliance. Titania Nipper can be used to assess 89% of NIST 800-171 controls related to core network devices across eight Control Families. Assessments are accurate and can be automated, with each device audit saving internal auditors up to three hours per device audit.

Nipper is trusted by federal agencies and government departments and related prime and subcontractors. Supplier Performance Risk System (SPRS) points system is a key contractor assessment for the Department of Defense. Nipper can demonstrate 31 SPRS points, 28% of the total points needed for full compliance.

Download our NIST 800-171 Automation Summary to see which 31 controls Nipper can assess today.