NIST SP 800-171 Services

Protect Controlled Unclassified Information (CUI) in non-federal information systems and organizations

If you provide services to the U.S. federal government, you must provide documentation and evidence as to how your organization is protecting Controlled Unclassified Information (CUI).

As such, government contractors and other organizations must complete an assessment against NIST SP 800-171 – "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations" – to provide services for transmitting or storing this data in non-federal information systems. The CUI requirements within NIST SP 800-171 are directly linked to the baseline controls described in NIST SP 800-53 – "Security and Privacy Controls for Federal Information Systems and Organizations" – and are intended for use by federal agencies in contracts or other agreements established between those agencies and non-federal organizations.

To comply with CUI requirements, your organization must fully understand what CUI it stores, processes, or transmits in the course of doing business with the federal government. You must also be prepared to provide adequate documentation describing your technical solutions, policies, and evidence of being able to detect and respond to incidents.

How Coalfire Helps

Coalfire provides advisory and assessment services to meet your NIST SP 800-171 needs. From controls mapping of various environments, to documentation development for a system security plan (SSP) to security testing and plan of action and milestones (POA&M) management, Coalfire can do it all through an assessment process that follows a Risk Management Framework (RMF) approach.

  • NIST SP 800-171 Assessment – Includes:
    • FIPS 199 system categorization
    • FIPS 200 and agency control selection
    • Implementation of applicable security controls
    • Assessment of security controls
    • Authorization recommendation of system
    • Continuous monitoring
  • NIST SP 800-171 Advisory – We support or create NIST 800-171 required documentation sets including a System Security Plan (SSP) to protect and ensure the control of CUI and any additional guidance based on client or agency requirements.

Why Choose Coalfire for your NIST-based Assessment Services

  • Coalfire has been assessing and advising organizations to NIST 800-53 standards since its inception.
  • Coalfire is an accredited Federal Risk and Authorization Management Program (FedRAMP) third party assessment organization (3PAO), a designation obtained in part through demonstrated, technical experience with NIST 800-53 assessments.

Coalfire has conducted FISMA and other NIST-based assessments that are relied on by leading agencies such as HHS, CMS, NIH, DHS, DOT and more.