NIST SP 800-171 Services

Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

Non-federal organizations that provide services to U.S. Government Agencies such as government contractors; manufacturers; state, local, and tribal governments; colleges and universities; etc must now provide documentation and evidence as to how they are protecting Controlled Unclassified Information (CUI). The CUI requirements recommended for use in this publication are derived from FIPS Publication 200 and the moderate security control baseline in NIST Special Publication (SP) 800-53.  An assessment against NIST SP 800-171 is needed to provide services for transmitting or storing this data in non-federal information systems. This requirement is documented in Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, and other federal procurement documents.

NIST SP 800-171 "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations" provides guidance for federal Agencies to ensure that certain types of federal information is protected when processed, stored, and used in non-federal information systems. Agencies require NIST SP 800-171 compliance for protecting the confidentiality of Controlled Unclassified Information (CUI). The CUI requirements within NIST SP 800-171 are directly linked to NIST SP 800-53 "Security and Privacy Controls for Federal Information Systems and Organizations" baseline controls and are intended for use by federal Agencies in contracts or other agreements established between those Agencies and nonfederal organizations Organizations must now fully understand what CUI they store, process, or transmit in the course of doing business with the federal government and be prepared to provide adequate documentation describing their technical solutions, policies, and evidence of being able to detect and respond to incidents.

How Coalfire helps

Coalfire provides advisory and assessment services to meet your NIST SP 800-171 assessment needs. From controls mapping of various environments, to documentation development for a system security plan (SSP) to the assessment through security testing and POA&M management, Coalfire can do it all. The assessment process follows a Risk Management Framework (RMF) approach.

  • NIST SP 800-171 Assessment - FIPS 199 categorization, FIPS 200 and Agency control selection, implementation of applicable security controls, assessment of security controls, authorization recommendation of system and continuous monitoring.
  • NIST SP 800-171 Advisory – support or create NIST 800-171 required documentation sets including System Security Plan (SSP) to protect and ensure the control of Controlled Unclassified Information and any additional guidance based on client or Agency requirements.

Why choose Coalfire for your NIST based assessment services?

  • Coalfire has been assessing and advising organizations to NIST 800-53 standards since its inception.
  • Coalfire is an accredited Federal Risk and Authorization Management Program (FedRAMP) third party assessment organization (3PAO), a designation obtained in part through demonstrated, technical experience with NIST 800-53 assessments.
  • Coalfire has conducted FISMA and other NIST based assessments that are relied on by leading Agencies such as HHS, CMS, NIH, DHS, DOT and more.