What’s at Stake with NIST 800-171 and How to Ensure You’re Compliant

Over the past three years, The National Institute of Standards and Technology defined 800-171 security requirements. These requirements were designed to protect Controlled Unclassified Information in Nonfederal information systems, as well as organizations.

When the DFAR (Defense Federal Acquisition Regulations) came out, most believed this mandate would finally create protection between government contractors who run the federal agencies to ensure that certain types of federal information are protected in any environment. The Department of Defense created milestones that each and every federal system integrator or contract holder must meet to uphold these requirements.


There are 14 categories of security requirements that must be met. Each category has a unique set of policy tests that affected programs must meet.

  1. Access Control
  2. Audit and Accountability
  3. Awareness and Training
  4. Configuration Management
  5. Identification and Authentication
  6. Incident Response
  7. Maintenance
  8. Media Protection
  9. Physical Protection
  10. Personnel Security
  11. Risk Assessment
  12. Security Assessment
  13. System and Communications Protection
  14. System and Information Integrity

The 800-171 requirements stem from NIST 800-53, which is a DFAR that controls unclassified information shared between the federal government with a non-federal entity.

Since 2015, we have watched and engaged with many system integrators, as well as manufacturers to ensure our federal government contractors meet all 800-171 DFAR mandates. The final date when all contractors had to meet DFARS 800-171 has passed, and most are not in compliance per the December 2017 deadline. Additions and controls are to be made in upcoming months, so if you are not compliant, you need to be.


There will be consequences for non-compliance, as not being able to conduct business with the federal government means large revenues lost and existing federal contracts being held at a standstill or withdrawn completely.

As Beverly Cornelius points out in a blog on The State of Security, the following three things are inevitable:

  • Contract Termination. It is reasonable to expect that the U.S. government will terminate contracts with prime contractors over NIST 800-171 non-compliance since it constitutes a failure to uphold contract requirements. Subcontractor non-compliance will cause a prime contractor to be non-compliant as a whole.
  • Criminal Fraud. If a company states it is compliant when it knowingly is not compliant, that is misrepresentation of material facts. This is a criminal act, for it fits the definition of any act intended to deceive through a false representation of some fact resulting in the legal detriment of the person who relies upon the false information.
  • Breach of Contract Lawsuits. Both prime contractors and subcontractors could be exposed legally. A tort is a civil breach committed against another in which the injured party can sue for damages. The likely scenario for a NIST 800-171-related tort would be around negligence on behalf of the accused party by not maintaining a specific code of conduct (e.g., NIST 800-171 controls).

As you can see from those examples, the cost of non-compliance is quite significant. As always, seek competent legal counsel for any pertinent questions on your specific compliance obligations.


To become compliant, you can do the following things:

  1. Make someone responsible for the efforts.
  2. Review your current outlook and what needs to be done.
  3. Contact an organization that can help.

In watching many OEM companies’ attempts to sell their products, it has become clear that some are not advertising their solutions. The “unclear” presentation of their solutions has burned cycles for the contractors who have been desperately trying to meet the federally mandated dates. It is clear that some of the controls are complex, hard to implements and certainly can’t be met with one or two company’s solutions.

No one company can meet the mandates, so when a company says they can cover every control or that they can even cover a single control in full, be prepared to question them thoroughly. There are very few like Tripwire that can fully cover a single control in full.

Therefore, in order to meet these mandates, companies like Tripwire have cross-pollinated with other best-of-breed solutions providers and found ways to bring together multiple products to meet the requirements.

Tripwire’s collaborative efforts breaks down the walls between vendors and creates the solutions that multiple vendors provide to accurately meet 800-171 and protect our federal government’s data. It has simplified the research for IT staff, so that you only need to reach out to one POC. You will immediately have a team that will guide any contract holders to meet all DFAR requirements.



via:  tripwire

Save pagePDF pageEmail pagePrint page

Leave a Reply

Your email address will not be published. Required fields are marked *