hands typing on a laptop keyboard

NIST 800-171 Compliance

NIST SP 800-171 is a standard that defines how to protect and distribute Controlled Unclassified Information (CUI) for government contractors.

Controlled Unclassified Information- CUI is a type of marking tool used by the federal government to identify information and confidential data that is not classified, yet requires protection from unnecessary disclosure (i.e., financial records or Personally Identifiable Information).

Padlock sitting on top of a stack on credit cards

Important Changes in CMMC Affecting DoD Contractors

Read the Blog

NIST SP 800-171 Contains 110 Security Controls Across the Following 14 Categories:

3.1 Access Control 

3.2 Awareness and Training 

3.3 Audit and Accountability 

3.4 Configuration Management 

3.5 Identification and Authentication 

3.6 Incident Response 

3.7 Maintenance

3.8 Media Protection

3.9 Personnel Security

3.10 Physical Protection

3.11 Risk Assessment

3.12 Security Assessment

3.13 System and Communications Protection

3.14 System and Information Integrity 

3.1 Access Control 

3.2 Awareness and Training 

3.3 Audit and Accountability 

3.4 Configuration Management 

3.5 Identification and Authentication 

3.6 Incident Response 

3.7 Maintenance 

3.8 Media Protection 

3.9 Personnel Security 

3.10 Physical Protection 

3.11 Risk Assessment 

3.12 Security Assessment 

3.13 System and Communications Protection 

3.14 System and Information Integrity 

The 14 Categories Cover 5 Main Elements from the NIST Cybersecurity Framework:

CMMC & NIST 800-171

The effort to become NIST SP 800-171 compliant has additional benefits to CMMC compliance. CMMC currently contains the same 110 controls found in NIST SP 800-171. The changes to CMMC to date have eliminated the additional controls and will allow for many companies to self-assess rather than go through a third-part assessment. In effect, NIST 800-171 compliance will be your company’s basis for CMMC Compliance.

Related Resources

View All Related Resources

Why Comply?

The DFARS clause 252.204-7012 interim rule released on September 29, 2020 requires that all government contract wins issued to contractors are dependent on the contractor inputting a Supplier Performance Risk System (SPRS) score in the SPRS database system. The SPRS score is derived from a contractor’s score calculated based on the NIST SP 800-171 requirements that have been implemented. Your score in the SPRS database may be a consideration during the selection process.

DFARS Interim Rule Executive Summary

CMMC is being rolled out by DoD. While the rule is in the late stages of rulemaking and is not official yet, companies should be getting ready NOW. There are already contract requirements for compliance with NIST 800-171, which will be the foundation of CMMC certification.

DoD expects all new DoD contracts eventually to contain CMMC requirements starting with the initial rollout expected now in late 2024 or 2025. The CMMC Ecosystem is in full swing now as companies get certified to be assessors and there have even been some provisional assessments performed. Once CMMC becomes law and is published, DOD contracts will begin to include the requirement in their RFPS.

If you are not CMMC certified at the appropriate level prior to contract award, then working on DoD contracts will not be possible. Since you already have requirements on DOD and civilian contracts to comply with NIST 800-171, you should be working toward that compliance now with an eye toward the readiness for CMMC which could include an assessment from a Third Party, depending on the contract requirements.

The Maryland DCAP Grant Program

The Maryland Defense Cybersecurity Assistance Program (DCAP) provides funding and assistance for Defense Contractors to comply with the DFARS and NIST 800-171 Standards for cybersecurity, as well as prepare for the upcoming CMMC certification. The program provides funding and resources for Maryland companies to comply with the cybersecurity standards. Funded by the Department of Defense’s Office of Local Defense Community Cooperation (OLDCC) through the Maryland Department of Commerce, the program is being coordinated by the MD MEP.   

Grant funding is limited and there is waiting list at this time. If you have interest in the program, we recommend submitting an application to the MD MEP Team as soon as possible  – contact us to assist!  

Program Benefits  

  • Up to 60% off mitigation costs.   
  • $2,500 grant funding reimbursement for the CMMC Pre-Assessment.  
  • Reported $513,402,088 total retained sales and $155,158,419 total increased sales from client recipients.  
  • Reported total of 3,051 retained jobs and 136 increased jobs from client recipients.

Braxton-Grant’s 3-Step Cyber Assessment

Braxton-Grant is a cybersecurity consulting organization with NIST SP 800-171 Subject Matter Experts to assist in pre-assessments for organizations with DoD contracts.

We have developed a low-cost solution to help companies get compliant quickly and stay compliant without disrupting your budget.

For more information about how this three-step process would work for your company, please call for a free consultation or contact us to schedule a meeting.

Contact Us

We want to become an extension of your team.

Find out how you can take advantage of our deep experience and expertise. Contact us today!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.