7 Easy steps for implementing NIST 800-171


The Department of Defense (DoD) imposed a December 31, 2017 deadline for all defense contractors and subcontractors to implement the information security requirements detailed in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. This deadline has since come and gone, but the reality of the situation is that any firm seeking to continue working with the DoD must become NIST 800-171-compliant. This applies not only to DoD industry partners, but any non-federal organization that accesses US government systems and data.

There are more than a hundred information security requirements in NIST 800-171, and achieving compliance can be daunting for any organization. For firms in the Minneapolis-St. Paul area, a COUPLE of GURUS is the solution. We can guide and support a business toward compliance with the security requirements of NIST 800-171 while ensuring continued productivity.

What is NIST 800-171 about?

NIST 800-171 details the DoD’s requirements regarding the handling of what it considers “controlled information” — broadly, information that is of a sensitive nature. This encompasses how this information is stored, accessed, exchanged, and governed.

There are two classifications of controlled information: controlled technical information (CTI), which relates to space and military applications; and controlled unclassified information (CUI), which encompasses all other information that necessitates privacy but does not require high levels of DoD clearance. CUI can include personal information, patents, financial data, and court records, among others.

NIST 800-171 requires that contractors use a covered information system, which refers to “an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores or transmits covered defense information.” These include email, enterprise content management platforms, on-premises and cloud-based storage systems, file sharing and collaboration platforms, and endpoints used by employees, such as laptops, tablets, and smartphones. Contractors are obliged to regulate the transmission of sensitive information within and between these systems.

Why do you need a COUPLE of GURUS?

For many smaller companies, the number and complexity of requirements in NIST 800-171 can place an enormous burden on IT capabilities, particularly when they are already at capacity due to day-to-day operations. The methodical approach and expertise provided by a COUPLE of GURUS will not only ensure that these requirements are met comprehensively, but do so efficiently and quickly.

Another matter is that businesses are using an increasing number of devices and applications in their processes. Thus, any heightened security requirements can negatively impact productivity. a COUPLE of GURUS aids in the implementation of file sharing practices and governance policies that meet requirements and increase efficiency. This is accomplished through the following steps:

  • Identifying all systems in the network that contain CTI and CUI, including local storage (e.g., SharePoint), cloud storage (e.g., OneDrive for Business), endpoints, and external hard drives.
  • Categorizing controlled information, and separating it from less-sensitive files. This makes it easier to demonstrate compliance in the event of an audit.
  • Implementing access controls that allow only authorized parties to view, share, or download files containing CTI and CUI. a COUPLE of GURUS also sets expiration dates to these files to prevent access after the termination of relevant projects.
  • Encrypting all data, which adds a layer of security to the systems holding and transmitting it, while enabling accessibility for authorized users.
  • Monitoring all those who are accessing controlled information, and tracking how they use it. This ensures that individuals can be held accountable for their actions, and that anomalies can be identified.
  • Training employees on information exchange best practices. This ensures they are aware of their importance and are capable of identifying threats.
  • Conducting a holistic security assessment on systems, procedures, and environments to identify risk.

Compliance with NIST 800-171 is critical for any DoD contracting organization. Failure to do so can lead to the loss of lucrative contracts and, at worst, breach of contract lawsuits or criminal law charges. Thankfully, with a COUPLE of GURUS, you can ensure your organization is set for success. Book an obligation-free meeting with one our Gurus or call us today.