What is NIST SP 800-171 Compliance & What Does It Mean for My Company?

The deadline for government contractors to be compliant with NIST SP 800-171 is December 31, 2017, but it’s tough to evaluate your situation if you don’t know how the standard applies to your company.

Every day, the news is filled with stories about cyber-attacks or breaches. What if one happened to your company, would you be ready? How do you get started?

One of the best ways to protect your company is to begin to define security processes, procedures, and controls, and the time to start is now.

Being prepared to handle cyber-attacks will ensure that your business operations and valuable data are protected. As a government contractor, you have the added responsibility of safeguarding our nation’s valuable data assets. To guarantee that risks are mitigated, cyber risks standards are now being applied to contracts that are issued by the DoD. 

The standards are outlined in the Defense Federal Acquisition Regulation Supplement (DFARS). The DoD requires contractors to demonstrate cybersecurity adherence for protection of Covered Defense Information (CDI) and Controlled Unclassified Information (CUI), or Unclassified Controlled Technical Information (UCTI). If there are any doubts about the nature of your data, make sure to discuss with your Contracting Officer (CO).

nist blog 1.jpg
Exhibit 1 - Types of Information


Expect to see the following DFARS references in your contract. You will be expected to demonstrate compliance to these standards.

nist blog 2.jpg
Exhibit 2 - DFARS Clauses - Cybersecurity


The three DFARS clauses above mandate that defense contractors adhere to the security requirements, demonstrating cybersecurity protections are adequate to protect information from attack. The security requirements are specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”

For ease of use, the security requirements are organized into fourteen families. Each family contains the requirements related to the general security topic of the family. There are 110 controls around non-classified controlled information. This sounds like a lot but keep in mind the type of information that is being protected. In many cases, these controls represent best practices that you may already have adopted.

nist blog 3.jpg
Exhibit 3 - 14 Control Families


Defense contractors must also have in place a mechanism and communication plan if they identify an incident or breach. The notification must happen with 72 hours of the breach. Incident reporting is done via the DoD’s Defense Industrial Base (DIB) Cyber Incident Reporting & Cyber Threat Information Sharing Portal. Be prepared to address the necessary information on the form and provide supporting documents and evidence relating to the breach. 

What Do You Have to Do to Be Compliant?

Contractors have until December 31, 2017 to attain compliance with all the security requirements in NIST SP 800-171. Contractors that don’t have all the NIST controls implemented must submit a written explanation of how 1) the required security control(s) is not applicable, or 2) an alternative control or protective measure that is used to achieve equivalent protection. All controls must be addressed, either through implementation, remediation, and/or documented explanation of non-applicability.

Getting prepared for this requirement is important for your company. You may consider hiring a consulting service to assist you on this journey. It is critical for the overall success of keeping and winning new government contracts.


Your Unanet Project Management and Accounting System

The Unanet hosted environment will provide the basis for your compliance. We have been diligent regarding compliance requirements as we approach the December deadline.

Unanet recently passed a SOC 2 audit and our cloud provider has mapped the requirements for NIST SP 800-171 (and NIST SP 800--53 compliance, in the case of CDI stored in cloud systems). 

This section discusses NIST requirements which relate to:

  1. Multi-Factor Authentication
  2. Identification & Authentication Controls
  3. Cyber Incident Reporting
  4. Data Encryption


  1. Multi-Factor Authentication

To deliver robust support for individual customer’s requirements for multi-factor authenticated access both to Unanet and other information systems which contain CUI, Unanet integrates with leading providers of Identity and Access Management (IAM) tools such as OneLogin, Duo and Okta, and other providers via SAML.


  1. Identification & Authentication Controls

IAM vendors, such as those identified above, include robust capabilities related to logon management, and password complexity and reuse that satisfy the relevant NIST Controls.


  1. Prompt Cyber Incident Reporting

Customers using Unanet’s cloud offering will be notified of any unauthorized intrusion.


  1. Data Encryption

The requirements for data encryption are met through use of SSL, and the availability of the Unanet cloud platform in a FedRAMP Moderate environment that uses data encryption at rest. Contact your Customer Success Manager for more information.

US-Based Support

You should also be aware that all Unanet software is developed, hosted and supported in the United States, and exclusively by US citizens.

This is not a requirement of the NIST standard. It does, however, provide an important additional measure of assurance to government contractors. This is especially important in comparison to other industry ERP software developed and supported in countries known to conduct state-sponsored hacking of US organizations.

"Unanet has enabled us to improve revenue forecasting models and share the same real-time revenue data across the organization."President, Mid-Sized Government Contractor
"Our experience with Unanet has been such a vast improvement over our old combination of Deltek T&E and Spreadsheets. "- Brandon Labonte President & CEO, Ardentmc
"The Unanet support team provides the best support I have ever encountered.  Great job and thank you!"- Nick Wagner Director of Quality Management, The ESCO Group
"We selected the Unanet PSA product suite because it works, is simple to administer, and has rich functionality."- Brian MacDonald Director of Information Systems L-3 Communications Corporation
Being able to see where we are on projects REAL TIME instead of waiting for Monday processing has made it much easier to let clients know exactly where we are with their projects. Unanet has set a higher standard for project reporting and there is more to come!. - Jenny Clark director, solvability