NIST 800-171 Compliance Consultant Services
At RSI Security, we are experts in guiding you through the process of achieving NIST 800-171 compliance by implementing security measures for defense against cyber incidents.
United States Department of Defense contractors that collect, store, or transmit Covered Defense Information (CDI) or Controlled Unclassified Information (CUI) are required to comply with NIST compliance regulations 800-171 as of December 31, 2017. All prime contractors and their subcontractors must comply with NIST 800-171 or risk losing their corresponding government contract.
How Do I Become NIST 800-171 Compliant?
To achieve or maintain NIST SP 800-171 compliance, work with a service provider to implement all 110 Requirements across all 14 Requirement Families. Then, conduct a self-assessment or an assessment validated by an assessor organization recognized by the governmental agency with whom you intend to work to meet your NIST 800-171 compliance consultant needs. In the case of CMMC implementation, seek out a C3PAO.
WORK WITH US
NIST 800-171, DFARS, & CMMC Compliance
Examples of DoD information qualifying as CUI include:
RSI’s experts assist federal government contractors in understanding the risks of storing CUI data in their system and identify potential liability if their sub-contractors mishandle CUI.
Via our assessment and gap analysis services, as well as through intensive vulnerability scans and penetration tests, we can guide you through NIST 800-171 compliance policies so that your systems are either out of liability scope or are fully compliant with regulations.
NIST 800-171 Compliance FAQs
There are 110 Requirements, spread across 14 Requirement Families as such:
- Access Control – 22 Requirements
- Awareness and Training – 3 Requirements
- Audit and Accountability – 9 Requirements
- Configuration Management – 9 Requirements
- Identification and Authentication – 11 Requirements
- Incident Response – 3 Requirements
- Maintenance – 6 Requirements
- Media Protection – 9 Requirements
- Personnel Security – 2 Requirements
- Physical Protection – 6 Requirements
- Risk Assessment – 3 Requirements
- Security Assessment – 4 Requirements
- System and Communications Protection – 16 Requirements
- System and Information Integrity – 7 Requirements
The NIST SP 800-171 Requirements do not specify particular controls that may be used to satisfy them. However, NIST provides mappings of Requirements to relevant ISO/IEC 27001 Controls in Table D-14, Mapping System and Information Integrity Requirements to Controls.
The CMMC is required for DoD contractors specifically; it comprises three Levels of increasingly robust and complex security controls. Level 1 corresponds to 17 practices of the NIST SP 800-172, whereas Level 2 requires full implementation of all 110 SP 800-171 Requirements. At Level 3, organizations must also implement a selection of requirements from SP 800-172.
NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations, is a risk management framework. It applies broadly to organizations of all sizes and across all industries, regardless of their relationship to governmental entities. It comprises 20 groups of Controls, including many that overlap with Requirement Families in NIST SP 800-171.
Yes. SP 800-171 requires organizations to encrypt CUI at rest.
Yes. NIST SP 800-171 is based on FIPS, SP 800-53, and various other NIST frameworks. One example of a FIPS requirement is that CUI at rest must be encrypted using FIPS-validated cryptographic controls.