NIST SP 800-171 assessment and advisory services

Connect with us

If your organization provides products or services to the U.S. federal government, the information systems you use to support the product or service contract must meet cybersecurity contract obligations as specified in the Federal Acquisition Regulation (FAR). For Department of Defense (DoD) contractors, FAR contract obligations are augmented with additional cybersecurity requirements imposed within the Defense Federal Acquisition Regulation Supplement (DFARS).

Protect controlled unclassified information with NIST 800-171

Several different cybersecurity requirements are present in the FAR and DFARS, but at a high level, both FAR and DFARS cybersecurity contract obligations are centered around a NIST Special Publication – NIST SP 800-171 – that provides expectations and guidance for private sector organizations that handle controlled unclassified information (CUI) on behalf of the federal government. Thus, if your organization handles CUI as part of your product or service contract, you are expected to implement the security controls defined in NIST SP 800-171.

Although only the DFARS explicitly requires private sector organizations to manage and assess their cybersecurity programs and in-scope information systems against NIST SP 800-171 – the FAR only implicitly sets such expectations – the general industry consensus is that the next major FAR revision will explicitly require adherence to NIST SP 800-171 as part of defined contract obligations, and many agencies are proactively and explicitly incorporating NIST SP 800-171 cybersecurity requirements into RFP, RFQ, and other procurement motions.

We therefore encourage all government contractors to align their cybersecurity program and in-scope information systems to NIST SP 800-171 now, proactively undertaking the preparation and assessment activities necessary to demonstrate adherence to the cybersecurity requirements defined in NIST SP 800-171. To comply with NIST SP 800-171 requirements, your organization must fully understand what CUI it stores, processes, or transmits in the course of doing business with the federal government. You must also be prepared to provide adequate documentation describing your technical solutions, policies, and evidence of being able to detect and respond to incidents and demonstrate you have processes in place to continuously monitor your compliance with NIST SP 800-171 requirements and other cybersecurity requirements present in the FAR and the DFARS.

Department of Defense contractors reviewing cybersecurity controls

NIST SP 800-171 for CSPs

Cloud service providers (CSPs) undertaking FedRAMP® or DoD SRG cloud security authorization to win federal business must also comply with the applicable FAR and DFARS cybersecurity requirements, including NIST SP 800-171, which is superseded by FedRAMP, DoD SRG requirements, and other agency cloud security requirements in almost all cases. As the largest cloud security assessor, we have extensive experience assessing cloud environments against FedRAMP, DoD SRG, and other cybersecurity requirements and are well-equipped to support CSPs navigating cybersecurity contract obligations during their quest for authorization.

NIST SP 800-171 for higher education

Higher education institutions process, administer, and distribute federal financial aid information; receive federal grant awards for research; and may bid on federal contract opportunities for services. Higher education institutions are thus often subject to FAR, DFARS, or Department of Education (ED) cybersecurity contract obligations that require them to implement NIST SP 800-171 controls and comply with specific cybersecurity requirements imposed by the relevant agency. We have worked closely with higher education institutions on NIST SP 800-171 implementation and FAR, DFARS, and ED cybersecurity rule compliance since the publication of the relevant requirements, and have supported higher education institutions with a variety of compliance needs since our inception.

NIST assessment and support from Coalfire

We provide advisory and assessment services designed to help you navigate the entire compliance process for the FAR and DFARS cybersecurity contract obligations and successfully respond to your specific needs. Our services in this space include:

  • NIST SP 800-171 advisory
    • Scoping and gap analysis support for organizations and in-scope information systems in scope
    • Generation of advisory opinions to support scoping rationale and compliance determinations
    • Implementation support for applicable security controls and contract obligations
    • Documentation development support, including system security plan (SSP) and plan of action and milestones (POA&M) preparation
  • NIST SP 800-171 assessment
    • Assessment of security controls
    • Assessment and evaluation of overall compliance with cybersecurity contract obligations
    • POA&M validation and monitoring
    • Compliance recommendation for organizations and in-scope information systems
    • Continuous compliance monitoring

Why choose Coalfire for your NIST 800-171 cybersecurity needs?

  • We conduct numerous NIST SP 800-171, FISMA, and other NIST-based assessments that are relied on by leading agencies, such as the DoD, HHS, CMS, NIH, DHS, DOT, and more.
  • We are the largest accredited FedRAMP Third Party Assessment Organization (3PAO), a designation obtained through demonstrated, technical experience with security assessment activities in cloud environments.
  • We have been working with higher education institutions including entire state university systems for PCI DSS compliance, FISMA compliance, GLBA, and cyber risk program development since our inception in 2001, and have supported such institutions with FAR, DFARS, and ED cybersecurity compliance since the publication of the relevant requirements.

Contact us to improve your cybersecurity posture