The Effect of NIST 800-171A on Government Contractors

Mali Yared, Practice Director, Cyber Risk Advisory & Privacy, Coalfire

(Part Three in a Three-part Series)

NIST 800-171A introduces a standardized opportunity to perform a more structured and granular level of assessment leveraging the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 framework.

The Genesis of NIST 800-171A

NIST SP 800-171 is a government standard that has been developed for the protection of Controlled Unclassified Information (CUI) on nonfederal systems. It includes a set of technical, procedural, and administrative security requirements – 110 in total, spread across 14 families (or domains).

The net effect of NIST 800-171A is that it provides additional support and guidance for the federal government contractor as it works toward compliance. It does not introduce an additional layer of compliance steps.

As compliance steps are pursued throughout the federal contractor environment, some ambiguities were perceived. The intentional allowance given the contractors – to address the NIST 800-171 requirements according to the threat landscape faced and the business environment required – led to confusion and misinterpretation. Several contractors expressed an interest for a more templatized and structured approach that would help them take clear steps to show compliance. NIST, in coordination with the DoD, started working on the NIST 800-171A (‘A’ stands for ‘assessment’). This publication provides clear ways in which the contractor can evaluate its CUI environment and provide a guided narrative that shows proof of compliance.

The final version of 800-171A was released in Spring 2018. Coalfire issued a blog that explores implementation options here.

NOTE: Just like NIST SP 800-171, NIST 800-171A is just a standard. There is no stipulation or enforcement law behind it. It is a series of guidance steps developed by NIST to help further clarify the intent behind NIST 800-171 and assist the contractor in its maturity toward compliance.

Previous Posts:

Updated November 26, 2018; originally published March 13, 2018.

Mali Yared


Mali Yared — Practice Director, Cyber Risk Advisory & Privacy, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS