loader image

NIST Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

When President Obama signed Executive Order #13,636 (EO) (Improving Critical Infrastructure Cybersecurity), he instructed the National Information Technology Laboratory (NIST) to take action. These actions are broad and directed toward higher resiliency in and around Cybersecurity as it relates to critical infrastructure in the United States. 

Sec2Critical Infrastructure. As used in this order, the term critical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

The part of this EO we are discussing today is in regards to Sec. 8. Voluntary Critical Infrastructure Cybersecurity Program. Through this EO, NIST publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, was activated. What is the NIST 800-171, what does it mean to government contractors and how can you comply?

Glad you asked! For any private companies working on government contracts, the Controlled Unclassified Information (CUI) represents new obligations that must be addressed. In essence, contracting officers will be imposing NIST requirements on vendors for protecting the confidentiality of CUI. 

For non-federal contractors and vendors, there are multiple approaches and solutions to address competence under these new guidelines, although there is not single compliance standard. The two most popular and universally adopted are the NIST Special Publication 800-53 or ISO 27001.

With the National Archives and Records Administration (NARA) issuing a federal regulation to make the requirements of Special Publication 800-171 required government-wide, the time to choose a strategy and direction is right now if you are a government contractor. The forthcoming Federal Acquisition Regulation (FAR) will require that contractors meet the specified measures in 800-171. This will impact many government contractors. 800-171 is far reaching, broad and very detailed across fourteen families of cybersecurity requirements. Those families are as follow.
  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Configuration Management
  • Indentifiecation and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personal Security
  • Physical Protection
  • Risk Assessment
  • Security Assessment
  • System and Communications Protection
  • System and Information Integrity
327 Solutions is ready to support you immediately. Our team of Risk Management, Cyber Security, and DoD Policy experts can help assess your current state and recommend a plan of action (POA) to reach a compliant level through training and mentoring services. 

327 Solutions is a global provider of ISO 27001 training and certification Bootcamps, helping teams address the broad implications of 800-171 quickly and efficiently. We have publicly available  courses and are happy to come to your site anytime for private events. 

Brian D. McCarthy, founder and Managing Partner of 327 Solutions is Organizational Development business partner to the Fortune 1000 and Department of Defense.

He has over two decades high level experience in Talent and People Development having worked with the largest employers and government agencies across the USA and globally.

He recently completed a technical review and edit for a Wiley Publishing and (ISC)2 training book for SSCP

​Mr. McCarthy is highly versed in sale, operations, customer service, GMP/GXP, financial training and also, 8570.1-M, 8140, ISO, Cyber Security, Project Management, Six Sigma and other learning areas. 

Mike Heimes

Indiana, 327 Solutions is Here!

327 Solutions, Inc. is excited to announce our new locations in Indianapolis, Odon, and Evansville Indiana. From these facilities, 327 Solutions and our partners will

Read More »