NIST SP 800-171 Rev 2 refers to the Second Revision (Rev 2) of National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171):
NIST SP 800-171 Rev 2 is focused on the protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations (e.g., defense contractors). NIST SP 800-171 provides US federal agencies (including the US Department of Defense (DoD)) with recommended cybersecurity requirements to protect the confidentiality and integrity of CUI in nonfederal systems and organizations. NIST SP 800-171 was first published in 2015 and the current version (Rev3) was released in May 2024.
NIST SP 800-171 is designed to require contractors to adhere with reasonably-expected security requirements that have been in use by the US government for years. NIST 800-171 establishes a basic set of expectations and maps these requirements to NIST 800-53, which is the de facto standard for US government cybersecurity controls. NIST 800-171 creates a standardized and uniform set of requirements for all Controlled Unclassified Information (CUI) security needs. This is designed to address common deficiencies in managing and protecting unclassified information by that is being stored, transmitted or processed by private businesses.
NOTE: While NIST SP 800-171 Rev 3 is the current version of NIST SP 800-171, the DoD issued a class deviation in May 2024 for DFARS Clause 252.204-7012 to indefinitely require DoD contractors to comply with NIST SP 800-171 Rev 2. DFARS Clause 252.204-7012 mandates defense contactors to
The Office of Management and Budget (OMB) requires organizations to adopt the most current version of NIST publications one year after its the new version's public release. From a NIST 800-171 perspective, this means NIST 800-171 Rev 3 is expected to be required in contracts no later than May 2025, at which time NIST 800-171 Rev 2 is deprecated (outdated). Per OMB in CIRCULAR NO. A-130: "For legacy information systems, agencies are expected to meet the requirements of, and be in compliance with, NIST standards and guidelines within one year of their respective publication dates unless otherwise directed by OMB. The one-year compliance date for revisions to NIST publications applies only to new or updated material in the publications. For information systems under development or for legacy systems undergoing significant changes, agencies are expected to meet the requirements of, and be in compliance with, NIST standards and guidelines immediately upon deployment of the systems."
An organization that stores, processes and/or transmits CUI as part of a contract with the US government is required to comply with NIST SP 800-171. Examples of these organizations that may store, process and/or transmit CUI as part of a contract include, but are not limited to:
The requirements in NIST SP 800-171 Rev 2 are based on the 32 CFR Part 2002 and are derived from:
NIST determined the requirements in NIST SP 800-171 Rev 2 provide the necessary protection for federal information and systems that are covered under the Federal Information Security Modernization Act (FISMA). NIST applied tailoring criteria from FIPS 200 requirements for NIST SP 800-53 Rev 4 controls to come up with four (4) types of requirements, listed in Appendix E of NIST SP 800-171 Rev 2:
NCO requirements are not directly related to protecting the confidentiality of CUI. NCO requirements are not mandatory to be implemented to comply with NIST SP 800-171 Rev 2.
FED requirements are “uniquely federal” and primarily the responsibility of the US federal government. FED requirements are not mandatory to be implemented to comply with NIST SP 800-171 Rev 2.
NFO requirements are expected to be routinely satisfied by Non-Federal Organizations (NFOs) without specification. NFO requirements must be implemented to comply with NIST SP 800-171 Rev 2.
CUI requirements protect the confidentiality and/or integrity of assets that store, process and/or transmit CUI. CUI requirements must be implemented to comply with NIST SP 800-171 Rev 2.
No. NIST SP 800-171 requirements are not “best practices” and are better described as reasonable cybersecurity practices to protect sensitive and/or regulated data. NIST SP 800-171 Rev 2 only protects against unauthorized disclosure and modification of CUI. It does not contain security controls that are considered “best practices” in cybersecurity.
Yes. Organizations must implement NIST SP 800-171 Rev 2 requirements as part of a contractual obligation with the US Government. Contractors (including subcontractors) that store, process and/or transmit CUI must comply with NIST SP 800-171.
From the Abstract section in NIST SP 800-171 Rev 2 that defines the scope of NIST SP 800-171 Rev 2 compliance efforts, requirements “apply to all components of nonfederal systems and organizations that process, store, and/or transmit CUI, or that provide protection for such components.” The requirements in NIST SP 800-171 Rev 2 are intended to be used by US federal agencies in contractual vehicles or other agreements between those agencies and nonfederal organizations (e.g., contractors).
While NIST does not provide additional scoping guidance for NIST SP 800-171 Rev 2, the DoD provides scoping for CMMC Level 2 environments. Additionally, ComplianceForge’s Unified Scoping Guide (USG) provides scoping guidance for CUI and other types of sensitive/regulated data.
According to the US National Archives (NARA) that runs the US Government’s CUI Program, CUI is broadly defined as “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act.”
In the context of cybersecurity, one of the more common forms of CUI is Controlled Technical Information (CTI) that broadly includes:
No. While CUI is sensitive information, it is not classified. CUI replaces For Official Use Only (FOUO) to protect unclassified, yet sensitive, data to prevent adverse national security and economic consequences.
Executive Orders (EO) 12356 and 13526 established the foundation for what "classified" data is, while EO 13556 established the foundation for CUI.
There are two (2) types of Unclassified data from the US Government's perspective:
There are three (3) types of Classified data from the US Government's perspective:
While NIST SP 800-171 Rev 2 contains 110 requirements, the are 320 Assessment Objectives (AOs) in NIST SP 800-171A that must be used to evaluate the requirements from NIST SP 800-171 R2. The requirement to use NIST SP 800-171A AOs was first defined by NARA’s Information Security Oversight Office (ISOO) in 2020 with CUI Notice 2020-04.
NIST SP 800-171 Rev 2 organizes the requirements according to 14families. The requirements in NIST SP 800-171 Rev 2 all have a “3.X” prefix due to the requirements being in Chapter 3 of NIST SP 800-171.
The NIST SP 800-171 Rev 2 families are:
This family of NIST SP 800-171 Rev 2 requirements focuses on logical access control. There are 22 unique access control requirements that are focused on protecting CUI.
This family of NIST SP 800-171 Rev 2 requirements focuses on end user training, specifically for personnel who handle CUI or administer technologies that support and/or protect CUI. There are 3 unique awareness and training requirements that are focused on protecting CUI.
This family of NIST SP 800-171 Rev 2 requirements focuses on technology-related event logging to maintain situational awareness of the CUI environment. There are 9 unique audit and accountability requirements that are focused on protecting CUI.
This family of NIST SP 800-171 Rev 2 requirements focuses on technology-related configuration management practices to secure the CUI environment. There are 9 unique configuration management requirements that are focused on protecting CUI.
This family of NIST SP 800-171 Rev 2 requirements focuses on technology-related Identity and Access Management (IAM) practices to securely limit access to only those people and processes with a legitimate business need. There are 11 unique identification and authentication requirements that are focused on protecting CUI.
This family of NIST SP 800-171 Rev 2 requirements focuses on incident response practices associated with the CUI environment. There are 3 unique incident response requirements that are focused on protecting CUI.
This family of NIST SP 800-171 Rev 2 requirements focuses on technology-related maintenance activities within CUI environment. There are 6 unique maintenance requirements that are focused on protecting CUI.
This family of NIST SP 800-171 Rev 2 requirements focuses on technology-related media protection and handling practices. There are 9 unique media protection requirements that are focused on protecting CUI.
This family of NIST SP 800-171 Rev 2 requirements focuses on personnel-related management practices to ensure only necessary individuals have access to the CUI environment. There are 2 unique personnel security requirements that are focused on protecting CUI.
This family of NIST SP 800-171 Rev 2 requirements focuses on physical security-related practices to physically secure the CUI environment. There are 6 unique physical protection requirements that are focused on protecting CUI.
This family of NIST SP 800-171 Rev 2 requirements focuses on risk management practices associated with the CUI environment. There are 3 unique risk assessment requirements that are focused on protecting CUI.
This family of NIST SP 800-171 Rev 2 requirements focuses on System Development Lifecycle (SDLC) practices to ensure the security of the CUI environment as technologies and processes change and evolve. There are 4 unique security assessment requirements that are focused on protecting CUI.
This family of NIST SP 800-171 Rev 2 requirements focuses on technology-related network security aspects of the CUI environment. There are 16 unique system and communication protection requirements that are focused on protecting CUI.
This family of NIST SP 800-171 Rev 2 requirements focuses on technology-related event monitoring to maintain situational awareness of the CUI environment. There are 7 unique system and information integrity requirements that are focused on protecting CUI.
Only the DoD has a third-party assessment methodology in place to provide conformity assessments for NIST SP 800-171 Rev 2, which is the Cybersecurity Maturity Model Certification (CMMC).
For non-DoD contactors, compliance with NIST SP 800-171 Rev 2 is “on the honor system” similar to compliance with HIPAA, PCI DSS, GDPR and other common compliance obligations that organizations must comply with.
Non-compliance with NIST SP 800-171 Rev 2 could be a False Claims Act (FCA) violation and the US Department of Justice (DOJ) is taking FCA violations seriously. Additional penalties for non-compliance with NIST 800-171 Rev 2 include, but are not limited to:
As you can see from those examples, the cost of non-compliance is quite significant. As always, seek competent legal counsel for any pertinent questions on your specific compliance obligations.
Sooner, rather than later, the US Government's global supply chain will have to transition to NIST 800-171 R3. ComplianceForge provides a free resource for organizations migrating from NIST 800-171 R2 to R3. This guide provides an Assessment Objective (AO)-level analysis to address differences:
ComplianceForge has been on the forefront of developing editable policies, standards, procedures and other templates to address NIST 800-171 compliance since 2016 when it was first released. As Department of Defense (DoD) requirements evolved to include third-party attestation through the Cybersecurity Maturity Model Certification (CMMC), so did ComplianceForge’s solutions, where we offer affordable, editable cybersecurity policies, standards, procedures and other templates to address NIST 800-171 R2 & R3.
NIST 800-171 compliance starts with documentation for the very simple fact that when it comes to cybersecurity compliance, if it is not documented then it does not exist. That is the reality of how audits/assessments work and non-existent or weak documentation can lead to non-compliance. We've been involved in NIST 800-171 compliance since 2016, where we have a long track record of successfully supporting our clients with quality documentation and support.
When it comes to NIST 800-171 compliance, ComplianceForge's editable policies, standards, procedures and other templates are a business accelerator - our products can save you time and significantly reduce the labor costs that are traditionally associated with researching and developing NIST 800-171 policies, standards and procedures on your own or by hiring a consultant to do it for you. These are not "fill in the blanks" templates - while they are expected to be edited for your specific needs, these policies, standards and procedures templates are written to address leading secure practices. ComplianceForge documentation can be scoped to address multiple environments (e.g., on-premises and/or in a hosted environment).
We sell cybersecurity documentation - policies, standards, procedures and more! Our documentation is meant to help companies become audit-ready!
We take a holistic approach to creating comprehensive cybersecurity documentation that is both scalable and affordable. This is beyond just generic policies and allows you to build out an audit-ready cybersecurity program for your organization!
ComplianceForge’s NIST 800-171 / CMMC documentation has been used successfully by multiple companies during DIBCAC assessments to efficiently and effectively generate the necessary artifact documentation to demonstrate compliance with NIST SP 800-171 controls and NIST SP 800-171A control objectives. This battle tested documentation includes the necessary policies, standards, procedures, SSP, POA&M, Incident Response Plan (IRP) and other documentation that are expected to exist to successfully pass a third-party assessment, be it DIBCAC or a C3PAO.
When you look at NIST 800-171 as it compares to other cybersecurity requirements, it is requiring companies to have a relatively-strong set of cybersecurity controls in place that range from administrative processes to protective technologies. We help customers that range from the Fortune 500 down to small and medium-sized businesses comply with this DFARS requirement. Our products are scalable, professionally-written and affordable.
In addition to battle tested NIST 800-171 R2 documentation solutions, ComplianceForge has policies, standards, procedures and other documentation (e.g., SCRM plan) necessary to comply with NIST 800-171 R3. This includes mapping procedures down to the Assessment Objective (AO)-level in NIST 800-171A R3 to ensure that there is comprehensive coverage for your compliance needs.
The "NIST 800-171 in a nutshell" graphic show below helps depict NIST 800-171 R3 requirements from Peope, Process, Technology, Data and Facility (PPTDF) perspective. This can help better visualize what the various requirements are (e.g., administrative, technical solutions, configurations, etc.). You can download the PDF version here and you can read more about the concept of PPTDF here.
ComplianceForge is an industry leader in NIST 800-171 compliance. We specialize in cybersecurity compliance documentation and our products include the policies, standards, procedures and POA&M/SSP templates that companies (small, medium and large) need to comply with NIST 800-171. We've been writing cybersecurity documentation since 2005 and we've been writing documentation specific to NIST 800-171 since 2016. We are here to help make NIST 800-171 compliance as easy and as affordable as possible!
Complying with NIST SP 800-171 & CMMC can be hard enough without arguing over terminology. Terminology pertaining to cybersecurity documentation is often abused, so a simplified concept of the hierarchical nature of cybersecurity documentation is needed to demonstrate the unique nature of these components, as well as the dependencies that exist. ComplianceForge created a reference model that is designed to encourage clear communication by defining cybersecurity documentation components and how those are linked. This model is based on industry-recognized terminology from NIST, ISO, ISACA and AICPA to addresses the inter-connectivity of policies, control objectives, standards, guidelines, controls, assessment objectives, risks, threats, procedures & metrics. This also addresses what SSPs, POA&Ms and secure configurations are and how those integrate into an organization's existing cybersecurity documentation.
We leverage the Hierarchical Cybersecurity Governance Framework to develop the necessary documentation components that are key to being able to demonstrate evidence of due diligence and due care for our clients. This methodology towards documentation acknowledges the interconnectivity that exists between policies, control objectives, standards, guidelines, controls, risks, procedures & metrics. Essentially, ComplianceForge simplified the concept of the hierarchical nature of cybersecurity and privacy documentation that you can see in the downloadable diagram shown below. This helps demonstrate the unique nature of these components, as well as the dependencies that exist. You can download the example to better understand how we write our documentation that links policies all the way down to metrics. This is a great solution for any organization currently using or migrating to a Governance, Risk & Compliance (GRC) or Integrated Risk Management (IRM) platform to help automate their governance practices. Click on the image below to download the PDF:
As a quick summary of your requirements to comply with NIST 800-171, you are expected to have several different "documentation artifacts" to prove that your cybersecurity program exists. The reality with compliance assessments is that if something is not documented, you cannot prove it exists. Given that reality, you need to ensure your company has the proper cybersecurity documentation in place:
Complying with the requirements from DFARS goes beyond just having policies and standards. When you break down the requirements to comply with DFARS / NIST 800-171, you will see how ComplianceForge's products address a specific DFARS compliance need. In the chart, "NFO" stands for Non-Federal Organization. NFO controls are required for contractors and are called out in Appendix E of NIST 800-171. Aligning with NIST 800-53 is the most straightforward approach to complying with NIST 800-171, based on the official mappings in Appendices D & E of NIST 800-171.
| ComplianceForge Product | DFARS / NIST 800-171 | NIST 800-53 |
|
NIST 800-171 Compliance Program (NCP), Cybersecurity & Data Protection Program (CDPP) or Digital Security Program (DSP) [policies & standards map to all NIST 800-171 rev1 requirements] |
252.204-7008 252.204-7012 NIST 800-171 (multiple NFO controls) |
PM-1 |
| Cybersecurity Supply Chain Risk Management Strategy & Implementation Plan (C-SRCM SIP) | 252.204-7008 252.204-7012 NIST 800-171 NFO PS-7 |
PS-7 |
| Cybersecurity Risk Management Program (RMP) | 252.204-7008 252.204-7012 NIST 800-171 NFO RA-1 |
PM-9 |
| Cybersecurity Risk Assessment Template (CRA) | 252.204-7008 252.204-7012 NIST 800-171 3.11.1 |
RA-3 |
| Vulnerability & Patch Management Program (VPMP) | 252.204-7008 252.204-7012 NIST 800-171 3.11.2 |
SI-2 |
| Integrated Incident Response Program (IIRP) | 252.204-7008 252.204-7009 252.204-7010 252.204-7012 NIST 800-171 3.6.1 |
IR-1 |
| Security & Privacy By Design (SPBD) | 252.204-7008 252.204-7012 NIST 800-171 NFO SA-3 |
Privacy Section |
| System Security Plan (SSP) | 252.204-7008 252.204-7012 NIST 800-171 3.12.4 |
PL-2 |
| Cybersecurity Standardized Operating Procedures (CSOP) | 252.204-7008 252.204-7012 NIST 800-171 (multiple NFO controls) |
PL-7 |
| Continuity of Operations Plan (COOP) | 252.204-7008 252.204-7012 NIST 800-171 3.6.1 |
CP-1 |
| Secure Baseline Configurations (SBC) | 252.204-7008 252.204-7012 NIST 800-171 3.4.1 |
CM-2 |
| Information Assurance Program (IAP) | 252.204-7008 252.204-7012 NIST 800-171 NFO CA-1 |
CA-1 |
When it comes to being "audit ready" for a company with NIST 800-171, there is no such thing as "Bronze, Silver or Gold" levels of compliance since a standard is a standard for a reason. This is where documentation is king, since in cybersecurity compliance audits, if it is not documented then it does not exist.
ComplianceForge can provide you with the documentation you need to demonstrate evidence of due care and due diligence to be considered compliant (e.g., policies, standards, procedures, SSP & POA&M). Our affordable solutions range from cybersecurity policies & standards documentation, to NIST 800-171 compliance checklists, to program-level documentation, such as "turn key" incident response, risk management or vulnerability management program documents. Our focus is on helping you become audit ready!
We listened to our customers and we created several products that are specific to NIST 800-171 compliance. We had an overwhelming request from companies to help them become NIST 800-171 compliant and most told us they do not know where to start, but they just know that this is a requirement they cannot run from.
The concept is pretty simple - the NIST 800-171 Compliance Criteria (NCC) goes through each NIST 800-171 requirement and maps it to the corresponding NIST 800-53 rev 4 controls. Each of those NIST 800-53 controls is explained as to what reasonably-expected criteria would be to meet that control. Additionally, the NCC provides applicable "best practice" guidance on what steps you need to take in order to comply. That is exactly what you would expect from a dedicated consultant! What do you get if you buy the NCC?
NIST 800-171 requires private companies to protect the confidentiality of Controlled Unclassified Information (CUI). The CUI requirements within NIST 800-171 are directly linked to NIST 800-53 MODERATE baseline controls and are intended for use by federal agencies in contracts or other agreements established between those agencies and non-federal organizations (e.g., government / DoD contractors). The good news is that ComplianceForge can help you with your compliance needs! We have affordable solutions that range from the NIST 800-171 Compliance Criteria (NCC) all the way to providing you with comprehensive cybersecurity policies and standards, such as the NIST 800-53 Cybersecurity & Data Protection Program (CDPP).
Appendix D of NIST 800-171 provides a direct mapping of CUI security requirements to the security controls in NIST 800-53 rev4 and ISO/IEC 27001:2013. This security control mapping information can be useful to organizations that wish to demonstrate compliance to the CUI security requirements in the context of their established information security programs, when such programs have been built around the NIST or ISO frameworks. NIST 800-53 has direct mapping, where ISO 27001/27002 has gaps that would have to be filled with enhanced policies and standards.
NIST 800-171 states that contractors may limit the scope of the CUI security requirements to those particular systems or components. Isolating CUI into its own security domain by applying architectural design principles or concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices) may be the most cost-effective and efficient approach for non-federal organizations to satisfy the requirements and protect the confidentiality of CUI. Security domains may employ physical separation, logical separation, or a combination of both.
When you "peel back the onion" and prepare for a NIST 800-171 audit, there is a need to address "the how" for certain topics. While policies and standards are designed to describe WHY something is required and WHAT needs to be done, many companies fail to create documentation to address HOW it gets done. We did the heavy lifting and created several program-level documents to address this need and they integrate with either the Cybersecurity & Data Protection Program (CDPP) or Digital Security Program (DSP) to provide your organization with a set of robust documentation to prepare for your audit. This gives you a full stack of documentation that covers your needs for policies, standards, procedures, System Security Plan (SSP) and a Plan of Action & Milestones (POA&M).
Secure Controls Framework (SCF)
Secure Controls Framework (SCF) "Premium Content" - Editable Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video When you click the image or the link below, it will direct you to a different page on...
ComplianceForge ISO 27001 & 27002 Compliance Documentation Templates
ISO 27001 & 27002 Policy Template UPDATED FOR ISO 27001:2022 & 27002:2022 Product Walkthrough Video When you click the image or the link below, it will direct you to a different page on our website that contains a short...
ComplianceForge NIST 800-53 Compliance Documentation Templates
NIST 800-53 Rev5 Policy Template LOW & MODERATE BASELINE Product Walkthrough Video When you click the image or the link below, it will direct you to a different page on our website that contains a short product walkthrough video...
ComplianceForge NIST 800-53 Compliance Documentation Templates
NIST SP 800-53 Rev5 Policy Template LOW, MODERATE & HIGH BASELINE Product Walkthrough Video When you click the image or the link below, it will direct you to a different page on our website that contains a short product walkthrough...
ComplianceForge - NIST 800-171 & CMMC
NIST 800-171 Rev 2 & Rev 3 / CMMC 2.0 Compliance Made Easier! The NCP is editable & affordable cybersecurity documentation to address your NIST 800-171 R2 / R3 and CMMC 2.0 Levels 1-2 compliance needs. When you click the image or the link...
ComplianceForge NIST 800-53 Compliance Documentation Templates
Cybersecurity & Data Protection Program (CDPP) Bundle #4a (40% discount) Is your organization looking for NIST cybersecurity documentation? This is a bundle that includes the following fourteen (14) ComplianceForge products that are focused on...
ComplianceForge NIST 800-53 Compliance Documentation Templates
Cybersecurity & Data Protection Program (CDPP) Bundle #4b - Low, Moderate & High Baselines (40% discount) This is a bundle that includes the following fourteen (14) ComplianceForge products that are focused on operationalizing NIST SP...
ComplianceForge NIST 800-53 Compliance Documentation Templates
NIST 800-171 & CMMC 2.0 Compliance Bundle #2 - ADVANCED CMMC Level 2 (25% discount) Is your organization looking to achieve CMMC compliance? This is a bundle that includes the following five (5) ComplianceForge products that...
ComplianceForge NIST 800-53 Compliance Documentation Templates
NIST 800-171 & CMMC Compliance Bundle #3 - EXPERT CMMC 2.0 Levels 1-3 (40% discount) Is your organization looking to acheive CMMC compliance? This is a bundle that includes the following thirteen (13) ComplianceForge...
Secure Controls Framework (SCF)
Digital Security Plan (DSP) Bundle #1 - SCF-Aligned Policies, Standards & Procedures (25% Discount) Is your organization looking for enterprise cybersecurity documentation? This is a bundle that includes the following two (2) ComplianceForge...
Secure Controls Framework (SCF)
Digital Security Plan (DSP) Bundle #2 - ENHANCED DIGITAL SECURITY (35% Discount) Is your organization looking ofr enterprise cybersecurity documentation? This is a bundle that includes the following seven (7) ComplianceForge products that are...
Secure Controls Framework (SCF)
Digital Security Plan (DSP) Bundle #3 - ROBUST DIGITAL SECURITY (45% Discount) Is your organization looking for enterprise cybersecurity documentation? This is a bundle that includes the following thirteen (13) ComplianceForge products that are...
For many cybersecurity practitioners, even those well versed in NIST 800-171 and Cybersecurity Matur...
A common issue facing many front-line IT / cybersecurity practitioners is that they do not know wher...
ComplianceForge is very pleased to announce it is now a Secure Controls Framework Licensed Cont...
ComplianceForge specializes in cybersecurity documentation. We are an industry leader in providing a...
