What Is NIST 800-171?

NIST 800-171 focuses on protecting Controlled Unclassified Information (CUI) anywhere it is stored, transmitted and processed. These controls are directly linked to NIST 800-53 and are a subset of the moderate baseline. The controls in NIST 800-171 are required to be assessed using Assessment Objectives (AOs) from NIST 800-171A.

To comply with NIST 800-171 an organization is expected to have several documentation artifacts to prove its cybersecurity program exists (e.g., policies, standards, procedures, SSP, POA&M, etc.). This requirement makes it a necessity to have clear documentation that can demonstrate evidence of due diligence and due care. For a cybersecurity assessment, if something is not documented it does not exist.

ComplianceForge offers multiple solutions to help with NIST 800-171 / CMMC compliance! Some of our clients want a solution that is just enough to become compliant, while some of our other clients want more comprehensive solution to go above and beyond the bare compliance requirements:

• NIST 800-171 Compliance Program (NCP) – It is “battle tested” where ComplianceForge clients have successfully passed DIBCAC assessments with this documentation, including a CMMC Third-Party Assessment Organization (C3PAO). The NCP includes the policies, standards, procedures, SSP, POA&M & other templates that are legitimately needed for NIST 800-171 compliance. The NCP is designed to focus on CMMC Level 2 controls, but it also provides the necessary coverage for CMMC Level 1. The NCP is as close to the “easy button” that we can make for NIST 800-171 / CMMC documentation.
• NIST 800-171 / CMMC Bundle #1 – If you only need to comply with CMMC Level 1 practices, then Bundle #1 is the right solution for you. This bundle contains the necessary policies, standards & procedures to address CMMC Level 1 & FAR 52.204-21 requirements.
• NIST 800-171 / CMMC Bundle #2 – If you need to “speak NIST 800-53” for other contracts (e.g., FedRAMP, RMF, FISMA, etc.) then Bundle #2 is a great option. This version is directly aligned with the moderate baseline from NIST 800-53 and leverages NIST 800-53 terminology/taxonomy (e.g., coverage for all 20 NIST 800-53 control families). Unless you have other obligations that require the entire moderate baseline from NIST 800-53, this may be considered overkill for companies that just need to comply with CMMC / NIST 800-171.
• NIST 800-171 / CMMC Bundle #3 – Similar to Bundle #2, Bundle #3 provides coverage for the high baseline from NIST 800-53. This is meant for those select organizations that need to adhere to the high baseline from NIST 800-53, which includes coverage for NIST 800-172 (e.g., Advanced Persistent Threats (APTs)).
• NIST 800-171 / CMMC Bundle #4 – If you need a robust solution that exceeds just NIST 800-171 / CMMC, then Bundle #4 might be the option for you! It is designed for an enterprise-class environment that leverages or is going to leverage a GRC platform for managing documentation. Bundle #4 leverages the Secure Controls Framework (SCF) that covers over 100 cybersecurity and privacy laws, regulations and frameworks, including NIST 800-171, NIST 800-172, NIST 800-53, NIST CSF, ISO 27001/2, CMMC, and many others. The Digital Security Program (DSP) includes one year of updates so you will receive updated versions of the documentation as changes are released.

To learn more about NIST 800-171 / CMMC, you can read more about it here - https://complianceforge.com/nist-800-171-cmmc-policy-templates/.