NIST 800-171 R2 & R3 Compliance Documentation- DFARS 252.204-7008 & 252.204-7012

ComplianceForge has been on the forefront of developing editable policies, standards, procedures and other templates to address NIST 800-171 compliance since 2016 when it was first released. As Department of Defense (DoD) requirements evolved to include third-party attestation through the Cybersecurity Maturity Model Certification (CMMC), so did ComplianceForge’s solutions, where we offer affordable, editable cybersecurity policies, standards, procedures and other templates to address NIST 800-171 R2 & R3.  

NIST 800-171 compliance starts with documentation for the very simple fact that when it comes to cybersecurity compliance, if it is not documented then it does not exist. That is the reality of how audits/assessments work and non-existent or weak documentation can lead to non-compliance. We've been involved in NIST 800-171 compliance since 2016, where we have a long track record of successfully supporting our clients with quality documentation and support.

When it comes to NIST 800-171 compliance, ComplianceForge's editable policies, standards, procedures and other templates are a business accelerator - our products can save you time and significantly reduce the labor costs that are traditionally associated with researching and developing NIST 800-171 policies, standards and procedures on your own or by hiring a consultant to do it for you. These are not "fill in the blanks" templates - while they are expected to be edited for your specific needs, these policies, standards and procedures templates are written to address leading secure practices. ComplianceForge documentation can be scoped to address multiple environments (e.g., on-premises and/or in a hosted environment).

Editable NIST 800-171 R2 & R3 Policies, Standards, Procedures & SCRM Plan Templates

In addition to battle tested NIST 800-171 R2 documentation solutions, ComplianceForge has policies, standards, procedures and other documentation (e.g., SCRM plan) necessary to comply with NIST 800-171 R3. This includes mapping procedures down to the Assessment Objective (AO)-level in NIST 800-171A R3 to ensure that there is comprehensive coverage for your compliance needs.

The "NIST 800-171 in a nutshell" graphic show below helps depict NIST 800-171 R3 requirements from Peope, Process, Technology, Data and Facility (PPTDF) perspective. This can help better visualize what the various requirements are (e.g., administrative, technical solutions, configurations, etc.). You can download the PDF version here and you can read more about the concept of PPTDF here.

• PEOPLE - A "people" control is primarily applied to humans (e.g., employees, contractors, third-parties, etc.)
• PROCESS - A "process" control is primarily applied to a manual or automated process.
• TECHNOLOGY - A "technology" control is primarily applied to a system, application and/or service
• DATA - A "data" control is primarily applied to data (e.g., CUI, CHD, PII, etc.).
• FACILITY - A "facility" control is primarily applied to a physical building (e.g., office, data center, warehouse, home office, etc.) 

NIST 800-171 Documentation Done Right - Designed To Be Scalable, Comprehensive & Efficient

ComplianceForge is an industry leader in NIST 800-171 compliance. We specialize in cybersecurity compliance documentation and our products include the policies, standards, procedures and POA&M/SSP templates that companies (small, medium and large) need to comply with NIST 800-171. We've been writing cybersecurity documentation since 2005 and we've been writing documentation specific to NIST 800-171 since 2016. We are here to help make NIST 800-171 compliance as easy and as affordable as possible!

Complying with NIST SP 800-171 & CMMC can be hard enough without arguing over terminology. Terminology pertaining to cybersecurity documentation is often abused, so a simplified concept of the hierarchical nature of cybersecurity documentation is needed to demonstrate the unique nature of these components, as well as the dependencies that exist. ComplianceForge created a reference model that is designed to encourage clear communication by defining cybersecurity documentation components and how those are linked. This model is based on industry-recognized terminology from NIST, ISO, ISACA and AICPA to addresses the inter-connectivity of policies, control objectives, standards, guidelines, controls, assessment objectives, risks, threats, procedures & metrics. This also addresses what SSPs, POA&Ms and secure configurations are and how those integrate into an organization's existing cybersecurity documentation.

We leverage the Hierarchical Cybersecurity Governance Framework to develop the necessary documentation components that are key to being able to demonstrate evidence of due diligence and due care for our clients. This methodology towards documentation acknowledges the interconnectivity that exists between policies, control objectives, standards, guidelines, controls, risks, procedures & metrics. Essentially, ComplianceForge simplified the concept of the hierarchical nature of cybersecurity and privacy documentation that you can see in the downloadable diagram shown below. This helps demonstrate the unique nature of these components, as well as the dependencies that exist. You can download the example to better understand how we write our documentation that links policies all the way down to metrics. This is a great solution for any organization currently using or migrating to a Governance, Risk & Compliance (GRC) or Integrated Risk Management (IRM) platform to help automate their governance practices.  Click on the image below to download the PDF:

“DIBCAC Battle Tested” NIST 800-171, NIST 800-171A & CMMC 2.0 Policies, Standards & Procedures

ComplianceForge’s NIST 800-171 / CMMC documentation has been used successfully by multiple companies during DIBCAC assessments to efficiently and effectively generate the necessary artifact documentation to demonstrate compliance with NIST SP 800-171 controls and NIST SP 800-171A control objectives. This battle tested documentation includes the necessary policies, standards, procedures, SSP, POA&M, Incident Response Plan (IRP) and other documentation that are expected to exist to successfully pass a third-party assessment, be it DIBCAC or a C3PAO.

When you look at NIST 800-171 as it compares to other cybersecurity requirements, it is requiring companies to have a relatively-strong set of cybersecurity controls in place that range from administrative processes to protective technologies. We help customers that range from the Fortune 500 down to small and medium-sized businesses comply with this DFARS requirement. Our products are scalable, professionally-written and affordable.

Understanding NIST SP 800-171 vs NIST SP 800-53 vs FedRAMP

The graphic below shows how NIST SP 800-171 R3 (green columns) is significantly less than NIST SP 800-53 R5 moderate baseline (blue columns) and FedRAMP R5 moderate baseline (orange colums). This is an "apples to apples" comparison of control coverage, based on a mapping from NIST SP 800-53 R5, which is the source of the controls from NIST SP 800-171 R3 IPD and FedRAMP R5. The reason we show this is to approach compliance with your eyes wide open to what the requirements actually are.

Our NIST 800-171 compliance products are designed to scale for organizations of any size or level of complexity, so we serve businesses of all sizes, from the Fortune 500 all the way to small and medium businesses. The focus of NIST 800-171 is to protect Controlled Unclassified Information (CUI) anywhere it is stored, transmitted and processed.

As a quick summary of your requirements to comply with NIST 800-171, you are expected to have several different "documentation artifacts" to prove that your cybersecurity program exists. The reality with compliance assessments is that if something is not documented, you cannot prove it exists. Given that reality, you need to ensure your company has the proper cybersecurity documentation in place:

• Cybersecurity policies, standards & procedures  
• System Security Plan (SSP) (requirement #3.12.4)
• Plan of Action & Milestones (POA&M) (requirements #3.12.1, 3.12.2, 3.12.3 & 3.12.4)

Cybersecurity Maturity Model Certification (CMMC)

The chart below depicts all Capability Maturity Model Certification (CMMC) v2.0 requirements and how they map to other frameworks:

NIST 800-171 Scoping Considerations - Free Guide To Reducing Controlled Unclassified Information (CUI) 

What ComplianceForge Products Apply To NIST 800-171 Rev 2 Compliance?

Complying with the requirements from DFARS goes beyond just having policies and standards. When you break down the requirements to comply with DFARS / NIST 800-171, you will see how ComplianceForge's products address a specific DFARS compliance need. In the chart, "NFO" stands for Non-Federal Organization. NFO controls are required for contractors and are called out in Appendix E of NIST 800-171. Aligning with NIST 800-53 is the most straightforward approach to complying with NIST 800-171, based on the official mappings in Appendices D & E of NIST 800-171. 

Framework Alignment Matters For CMMC 2.0 & NIST 800-171 Compliance! 

Many people ask how NIST 800-171 is different from NIST 800-53. In reality, there is no NIST 800-171 vs NIST 800-53, since everything defaults back to NIST 800-53. Our solutions address both DFARS and FAR requirements for protecting Controlled Unclassified Information (CUI) by addressing NIST 800-171 and its corresponding NIST 800-53 requirements.

When it comes to being "audit ready" for a company with NIST 800-171, there is no such thing as "Bronze, Silver or Gold" levels of compliance since a standard is a standard for a reason. This is where documentation is king, since in cybersecurity compliance audits, if it is not documented then it does not exist.

ComplianceForge can provide you with the documentation you need to demonstrate evidence of due care and due diligence to be considered compliant (e.g., policies, standards, procedures, SSP & POA&M). Our affordable solutions range from cybersecurity policies & standards documentation, to NIST 800-171 compliance checklists, to program-level documentation, such as "turn key" incident response, risk management or vulnerability management program documents. Our focus is on helping you become audit ready! 

NIST 800-171 is intended to force contractors to adhere with reasonably-expected security requirements that have been in use by the US government for years. NIST 800-171 establishes a basic set of expectations and maps these requirements to NIST 800-53, which is the de facto standard for US government cybersecurity controls. In some ways, this is a good thing since the US government is not reinventing the wheel with new requirements. Instead, the DoD selected moderate-level controls from an existing set of recognized best practices, commonly used throughout the DoD and Federal agencies. In the long run, this will help both the US government and private businesses speak the same language for cybersecurity. 

The bottom line is NIST 800-171 creates a standardized and uniform set of requirements for all Controlled Unclassified Information (CUI) security needs. This is designed to address common deficiencies in managing and protecting unclassified information by that is being stored, transmitted or processed by private businesses.  

Cost of Non-Compliance With NIST 800-171 (DFARS 252.204-7012)

What can possibly go wrong with non-compliance in a contract with the U.S. Government? 

• Contract Termination. It is reasonably expected that the U.S. Government will terminate contracts with prime contractors over non-compliance with DFARS / NIST 800-171 requirements since it is a failure to uphold contract requirements. Subcontractor non-compliance will cause a prime contractor to be non-compliant, as a whole.
• Criminal Fraud. If a company states it is compliant when it knowingly is not compliant, that is misrepresentation of material facts. This is a criminal act that is defined as any act intended to deceive through a false representation of some fact, resulting in the legal detriment of the person who relies upon the false information (e.g., False Claims Act).
• Breach of Contract Lawsuits. Both prime contractors and subcontractors could be exposed legally. A tort is a civil breach committed against another in which the injured party can sue for damages. The likely scenario for a DFARS / NIST 800-171-related tort would be around negligence on behalf of the accused party by not maintaining a specific code of conduct (e.g., DFARS / NIST 800-171 cybersecurity controls).

As you can see from those examples, the cost of non-compliance is quite significant. As always, seek competent legal counsel for any pertinent questions on your specific compliance obligations.

What Problem Does ComplianceForge Solve?

We sell cybersecurity documentation - policies, standards, procedures and more! Our documentation is meant to help companies become audit-ready!

• Lack of In House Security Experience - Writing security documentation is a skill that many good cybersecurity professionals simply are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive NIST 800-171 compliance documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. ComplianceForge offers NIST 800-171 documentation solutions that can save your organization significant time and money!
• Compliance Requirements - The reality of non-compliance with NIST 800-171 requirements means lost business and potential fines. In addition to losing contracts, charges of fraud may be leveled on companies that claim to be compliant with NIST 800-171 but cannot provide evidence. Our documentation can help you become and stay compliant with NIST 800-171 where you have documented evidence to prove it!
• Audit Failures - Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. Our documentation provides mapping to NIST 800-53 and other leading security frameworks to show you exactly what is required to both stay secure and compliant. Being editable documentation, you are able to easily maintain it as your needs or technologies change.  

How Does ComplianceForge Solve It?

We take a holistic approach to creating comprehensive cybersecurity documentation that is both scalable and affordable. This is beyond just generic policies and allows you to build out an audit-ready cybersecurity program for your organization!

• Clear Documentation - In an audit, clear and concise documentation is half the battle. ComplianceForge provides comprehensive documentation that can prove your NIST 800-171 compliant security program exists. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!
• Time Savings - Time is money! Our cybersecurity documentation addresses DFARS and FAR requirements and this can provide your organization with a semi-customized solution that requires minimal resources to fine tune for your organization's specific needs. 
• Alignment With Leading Practices - We did the heavy lifting. Our documentation is mapped to the NIST 800-53, as well as other leading security frameworks!  

DFARS 252.204-7012 (NIST 800-171 Rev 2) Implications and Federal Acquisition Regulation (FAR)

Many of our clients who need to address DFARS 252.204-7012 (NIST 800-171) also have to address FAR 52.204-21. One common question we receive from clients pertains to aligning with the correct security framework to ensure they have the proper coverage for compliance. This generally revolves around aligning with ISO 27001/27002 or NIST 800-53, since those are the two most common security frameworks.

The bottom line is that utilizing ISO 27001/27002 as a security framework does not meet the requirements of NIST 800-171. In fact, NIST 800-171 (Appendix D) maps out how the CUI security requirements of NIST 800-171 relate to NIST 800-53 and ISO 27001/27002 security controls. This includes callouts where the ISO 27001/27002 framework does not fully satisfy the requirements of NIST 800-171. Therefore, policies and standards based on NIST 800-53 are what is needed to comply with NIST 800-171. This is important to keep in mind, since FAR changes will require all US government contractors to adopt NIST 800-171 requirements in the near future.

NIST 800-171 isn’t just for Department of Defense (DoD) contractors. Representatives from the National Institute of Standards and Technology (NIST) and DoD officials have recently been putting this information out in webinars and other training seminars on NIST 800-171. This means that only the NIST 800-53 framework is going to meet FAR requirements - ISO 27002 and the NIST Cybersecurity Framework are going to be insufficient in coverage. This coming requirement for FAR cybersecurity compliance is specified on page v of NIST 800-171:

Executive Order 13556, Controlled Unclassified Information, November 4, 2010, establishes that the Controlled Unclassified Information (CUI) Executive Agent designated as the National Archives and Records Administration (NARA), shall develop and issue such directives as are necessary to implement the CUI Program. Consistent with this tasking and with the CUI Program’s mission to establish uniform policies and practices across the federal government, NARA is issuing a final federal regulation in 2016 to establish the required controls and markings for CUI government-wide. This federal regulation, once enacted, will bind agencies throughout the executive branch to uniformly apply the standard safeguards, markings, dissemination, and decontrol requirements established by the CUI Program.

With regard to federal information systems, requirements in the federal regulation for protecting CUI at the moderate confidentiality impact level will be based on applicable policies established by OMB and applicable government-wide standards and guidelines issued by NIST. The regulation will not create these policies, standards, and guidelines which are already established by OMB and NIST. The regulation will, however, require adherence to the policies and use of the standards and guidelines in a consistent manner throughout the executive branch, thereby reducing current complexity for federal agencies and their nonfederal partners, including contractors.

In addition to defining safeguarding requirements for CUI within the federal government, NARA has taken steps to alleviate the potential impact of such requirements on nonfederal organizations by jointly developing with NIST, Special Publication 800-171 — and defining security requirements for protecting CUI in nonfederal systems and organizations. This approach will help nonfederal entities, including contractors, to comply with the security requirements using the systems and practices they already have in place, rather than trying to use government-specific approaches. It will also provide a standardized and uniform set of requirements for all CUI security needs, tailored to nonfederal systems, allowing nonfederal organizations to be in compliance with statutory and regulatory requirements, and to consistently implement safeguards for the protection of CUI.

Finally, NARA, in its capacity as the CUI Executive Agent, also plans to sponsor in 2017, a single Federal Acquisition Regulation (FAR) clause that will apply the requirements contained in the federal CUI regulation and Special Publication 800-171 to contractors. This will further promote standardization to benefit a substantial number of nonfederal organizations that are attempting to meet the current range and type of contract clauses, where differing requirements and conflicting guidance from federal agencies for the same information gives rise to confusion and inefficiencies. The CUI FAR clause will also address verification and compliance requirements for the security requirements in NIST Special Publication 800-171. Until the formal process of establishing such a FAR clause takes place, the requirements in NIST Special Publication 800-171 may be referenced in federal contracts consistent with federal law and regulatory requirements. If necessary, Special Publication 800-171 will be updated to remain consistent with the federal CUI regulation and the FAR clause.

Affordable, Editable NIST 800-171 Compliance Documentation (DFARS 252.204-7012)

We listened to our customers and we created several products that are specific to NIST 800-171 compliance. We had an overwhelming request from companies to help them become NIST 800-171 compliant and most told us they do not know where to start, but they just know that this is a requirement they cannot run from.

The concept is pretty simple - the NIST 800-171 Compliance Criteria (NCC) goes through each NIST 800-171 requirement and maps it to the corresponding NIST 800-53 rev 4 controls. Each of those NIST 800-53 controls is explained as to what reasonably-expected criteria would be to meet that control. Additionally, the NCC provides applicable "best practice" guidance on what steps you need to take in order to comply. That is exactly what you would expect from a dedicated consultant! What do you get if you buy the NCC?

• The NCC is a “consultant in a box” solution that is essentially a NIST 800-171 checklist in an editable Microsoft Excel format.
  • The NCC covers all controls in Appendix D of NIST 800-171.
  • It also covers Appendix E Non-Federal Organization (NFO) controls, which are required by contractors.
• Each of the NIST 800-171 controls is mapped to its corresponding NIST 800-53 control.
• Each of the NIST 800-53 controls are broken down to identify:
  • Reasonably-expected criteria to address the control.
  • Applicable compliance guidance;
  • Methods to address the requirement; and
  • Status of compliance for each control so you can use it for a self-assessment.
• The NCC maps to the Cybersecurity & Data Protection Program (CDPP) and Digital Security Program (DSP) products, so they can work in concert together to make it easier to comply with NIST 800-171 since your organization can have NIST-based policies and standards to support NIST 800-171 compliance efforts.

Background on NIST 800-171 Rev 2 Controls

NIST 800-171 requires private companies to protect the confidentiality of Controlled Unclassified Information (CUI). The CUI requirements within NIST 800-171 are directly linked to NIST 800-53 MODERATE baseline controls and are intended for use by federal agencies in contracts or other agreements established between those agencies and non-federal organizations (e.g., government / DoD contractors). The good news is that ComplianceForge can help you with your compliance needs! We have affordable solutions that range from the NIST 800-171 Compliance Criteria (NCC) all the way to providing you with comprehensive cybersecurity policies and standards, such as the NIST 800-53 Cybersecurity & Data Protection Program (CDPP).

Appendix D of NIST 800-171 provides a direct mapping of CUI security requirements to the security controls in NIST 800-53 rev4 and ISO/IEC 27001:2013. This security control mapping information can be useful to organizations that wish to demonstrate compliance to the CUI security requirements in the context of their established information security programs, when such programs have been built around the NIST or ISO frameworks. NIST 800-53 has direct mapping, where ISO 27001/27002 has gaps that would have to be filled with enhanced policies and standards.

A central tenant to NIST 800-171 is a need to focus on secure engineering. However, it is important to keep in mind that this expectation for operationalizing security and privacy principles is not limited to NIST 800-171:

• NIST 800-53 - SA-8
• NIST Cybersecurity Framework - PR.IP-2
• ISO 27002 - 14.2.5 & 18.1.4
• Federal Acquisition Regulations (FAR) 52.204-21 - 4
• National Industrial Security Program Operating Manual (NISPOM) - 8-302 & 8-311
• SOC2 - CC3.2
• Generally Accepted Privacy Principles (GAPP) - 4.2.3, 6.2.2, 7.2.2 & 7.2.3
• New York State Department of Financial Service (DFS) - 23 NYCRR 500.08
• Payment Card Industry Data Protection Standard (PCI DSS) - 2.2
• Center for Internet Security Critical Security Controls (CIS CSC) - 1.2, 5.9, 6.2, 6.3, 6.4, 6.5, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 8.6, 9.1, 9.2, 9.3, 9.4, 9.5, 9.6, 11.4, 11.5, 11.6, 11.7, 13.4, 13.5 & 16.5
• European Union General Data Protection Regulation (EU GDPR) - 5 & 25

Key Assumptions For NIST 800-171 That Impact Scoping

NIST 800-171 states that contractors may limit the scope of the CUI security requirements to those particular systems or components. Isolating CUI into its own security domain by applying architectural design principles or concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices) may be the most cost-effective and efficient approach for non-federal organizations to satisfy the requirements and protect the confidentiality of CUI. Security domains may employ physical separation, logical separation, or a combination of both.

Is Your Organization Audit Ready for NIST 800-171?

When you "peel back the onion" and prepare for a NIST 800-171 audit, there is a need to address "the how" for certain topics. While policies and standards are designed to describe WHY something is required and WHAT needs to be done, many companies fail to create documentation to address HOW it gets done. We did the heavy lifting and created several program-level documents to address this need and they integrate with either the Cybersecurity & Data Protection Program (CDPP) or Digital Security Program (DSP) to provide your organization with a set of robust documentation to prepare for your audit. This gives you a full stack of documentation that covers your needs for policies, standards, procedures, System Security Plan (SSP) and a Plan of Action & Milestones (POA&M). 

NIST 800-171 Compliance Through A NIST 800-53 Rev5-Based Cybersecurity Program

US Federal agencies require NIST 800-171 compliance for protecting the confidentiality of Controlled Unclassified Information (CUI). The CUI requirements within NIST 800-171 are directly linked to NIST 800-53 MODERATE baseline controls and are intended for use by federal agencies in contracts or other agreements established between those agencies and nonfederal organizations (e.g., government contractors), as it applies to:

• When CUI is resident in nonfederal information systems and organizations;
• When information systems where CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and
• Where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry

The NIST 800-171 requirements apply to all components of non-federal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The good news is that ComplianceForge can help you with your compliance needs!

Controlled Unclassified Information (CUI) - Understanding NIST 800-53 rev 5 MODERATE Controls

Does your company need to comply with NIST 800-171 requirements for MODERATE baseline controls from NIST 800-53? The good news is our NIST 800-53 based Cybersecurity & Data Protection Program (CDPP) has the documentation you need to comply with MODERATE baseline controls.

The CUI requirements developed from the tailored FIPS Publication 200 security requirements and the NIST 800-53 moderate security control baseline represent a subset of the safeguarding measures necessary for a comprehensive information security program. The strength and quality of such programs in nonfederal organizations depend on the degree to which the organizations implement the security requirements and controls that are expected to be routinely satisfied without specification by the federal government. This includes implementing security policies,

The combination of the basic and derived security requirements captures the intent of FIPS Publication 200 and NIST 800-53, with respect to the protection of the confidentiality of CUI in nonfederal information systems and organizations. Appendix D provides informal mappings of the CUI security requirements to the relevant security controls in NIST 800-53 and ISO/IEC 27001. The mappings are included to promote a better understanding of the CUI security requirements and are not intended to impose additional requirements on nonfederal organizations.

For ease of use, the security requirements are organized into fourteen families. Each family contains the requirements related to the general security topic of the family. The families are closely aligned with the minimum security requirements for federal information and information systems described in FIPS Publication 200. The contingency planning, system and services acquisition, and planning requirements are not included within the scope of this publication due to the aforementioned tailoring criteria.

What Does NIST 800-171 Require?

NIST 800-171 describes fourteen (14) families of security requirements for protecting the confidentiality of CUI. The families are aligned with the minimum security requirements for federal information and information systems described in Federal Information Processing Standard (FIPS) 200, with exceptions for contingency planning, system, and services acquisition and planning requirements.

Appendix D of NIST 800-171 maps requirements to both NIST 800-53 rev4 and ISO 27002:2013 best practices. Only NIST 800-53 offers complete coverage for NIST 800-171 requirements.