The National Institute of Standards and Technology (NIST) released NIST SP 800-171 in 2015. The primary objective was to ensure the protection of controlled unclassified information (CUI) in nonfederal agencies. A year later, DFARS (Defense Federal Acquistion Regulation Supplement) added the 252.204-7012 regulation that mandated any nonfederal agency handling or trasnmitting CUI had to safeguard that data as per the NIST guidelines. 

From 2016 until the present, the standard has undergone a few different modifications. The next major revision, however, was r2, which was released in 2020. 


Do you have specific questions you would like to discuss with a Smithers expert? Schedule a 30-minute meeting today.

Schedule Today

How to Comply with NIST 800-171

You probably know that if you work with the Department of Defense, NASA, or certain other federal and/or state agencies,you must be able to verify that your organization is properly handling CUI. If you are not NIST 800-171 compliant, certain contracts will be out of reach, meaning you could lose existing customers and also lose potential future customers. What exactly is involved in complying with NIST SP 800-171?

The NIST SP 800-171 requirement covers fourteen control families, 110 controls, and 320 objectives. While there is a lot to know, there are also tools and experts that will guide your organization from start to finish. In the interim, here is a quick review of what the fourteen control families require.

Access Control

Access Control is the first family and it is also the biggest, with 22 controls in total. As the name suggests, these controls and objectives help to protect the confidentiality of CUI your organization stores or transmits.


Awareness and Training

The awareness and training segment focuses on providing managers, employees, administrators, and anyone else who might come into contact with CUI with the training they need to be compliant. Most hacking events occur because of human error. The best preventive medicine is thorough, high-quality training. These controls and objectives concentrate on how organizations can ensure this training is taking place on a regular basis.

Show Policy

New! NIST 800-171 assessment checklist!

Follow us on LinkedIn

Audit and Accountability

The Audit and Accountability segment includes nine controls. Independent and self-assessments are extremely important in the compliance process, and third-party assessments will become more important in the months and years to come. Companies must be able to prove through the audit process that they are complying and correcting any errors that have occurred.

Configuration Management

The Configuration Management family also incorporates nine controls. In order to comply with NIST 800-171, an organization needs to ensure it has control over user-installed software as well as any other changes that might made to the company’s systems.

Identification and Authentication

There are eleven controls in the Identification and Authentication family. As the name suggests, these controls and objectives concentrate on any users and devices that will be accessing data.

Incident Response

It might be surprising that there are controls having to do with Incident Response. After all, NIST compliance is meant to ensure that there are no incidents where data breaches are concerned. Nonetheless, sometimes risks are detected, and sometimes emergencies happen. An organization needs to have a plan in place so that remediation can occur as soon as possible.


This family is fairly straightforward. Organizations that handle CUI need to be perpetually vigilant. The assessment process assists with this, but even between assessments, there should be steps in place to make sure everything is as it should be.

Media Protection

This family calls for the security of all system media that contains CUI, regardless of whether that media is paper or digital.

Locked Computer

Physical Protection

Often it is assumed that cybersecurity compliance would impact only the digital world. However, security requirements covered by this standard include physical safety as well. Hardware, software, and any other data storage equipment need to be protected by an organization that handles CUI.

Personnel Security

Personnel Security is another straightforward control family. It requires protection for all employees, meaning any information pertaining to the employee’s personal details need to be secured. This would include termination and transfer paperwork, onboarding information, and more.

Risk Assessment

Risk assessment controls in NIST 800-171 specify that all potential risks to IT and critical systems need to be assessed regularly.

Security Assessment

A security assessment requires the regular review of security controls to determine how effective they are and what actions are needed to improve upon vulnerabilities.

System and Communication Protection

The System and Communication Protection [link to child page] family is another large group of controls – 16 in this case. This is where monitoring and protecting information that flows through IT systems is outlined.

System and Information Integrity

This final control family is not at all surprising. It requires organizations to protect data from malicious code. If issues are spotted, they need to be remediated as soon as possible.

Why Pursue a NIST 800-171 Certification?

After reviewing all of the families and only some of the controls, it is easy to tell that pursuing a NIST SP 800-171 certification can be a significant time investment for your organization. Why go through this process?

It Might Be Mandatory

The most obvious reason to pursue compliance is it could be mandatory for your company. If you are a contractor or sub-contractor for the Federal Government, there is a strong likelihood you are receiving CUI you need to protect. Contractors with the DFARS 252.204-7012 clause in contracts have actually been mandated to comply with this standard since 2018.

Healthy Habits

While NIST 800-171 is geared toward protecting CUI, pursuing the certification and going through the continuous assessment process will increase the health of your organization. Essentially, your team will be implementing best practices in cybersecurity from the top to the bottom.

Security for the Present and the Future

There is never a good time for a cyberattack or a data breach, especially if you handle CUI. The immediate repercussions can be devastating enough. Once a company undergoes an incident, it is extremely difficult to regain trust from partners, customers, and vendors. With a NIST 800-171 in place, an organization can feel confident that most vulnerabilities have been identified and addressed. They also know that if an incident does occur, they will be able to fix the issue quickly and effectively.

Business Growth

As was mentioned previously, federal agencies and large corporations in the Aerospace and Defense sector are increasingly demanding NIST 800-171 compliance, and they soon will be requiring CMMC in some cases as well. Even now, some businesses are at risk of losing important contracts because they are not NIST-compliant. If the organization’s desire is to gain a larger foothold with government or DoD contracts, NIST 800-171 has to be a high priority.

Rapid Response

NIST 800-171 requires an organization to have a crisis plan in place, whether a vulnerability has been spotted or whether an actual ransomware attack or data breach has occurred. Everyone in the organization, and everyone with whom the organization works, will have confidence that should an issue occur, it will be dealt with in the most efficient way possible.

A Domino Effect

If you are not NIST-800-171 certified and your organization experiences a cyberattack or a data breach, you will not only have to deal with that actual issue. Without the NIST 800-171, your company can be found liable for any damages your clients experience as a result of the incident. Moreover, if your organization has handled federal CUI, the government can also fine your business. All of this adds up to a lot of financial impact to handle on top of the cost of getting your business back up to working speed. The benefits of going through the certification process seem clear when viewed through this prism.

If you are a manufacturer seeking CMMC/NIST compliance, our CMMC for Manufacturers page page offers more resources and FAQs.

Why Choose Smithers?

If you are seeking a partner rather than a one-time assessor, working with a Smithers expert will be the best choice for you. Smithers focuses on relationships, not transactions. With that in mind, you will experience consideration of your time and budget, reliable service, continuous assessments, and the highest standards of performance. To learn more about the certifications we offer or what is the best next step for you, schedule a 30-minute meeting with our cybersecurity experts today.

Book an Introductory Meeting

Click Here

Latest Resources

See all resources