We’re happy to announce that Strike Graph now offers NIST 800-171!

If you’re looking to land government contracts, this one’s for you. NIST 800-171 prepares companies to protect the confidentiality of controlled unclassified information, or CUI, defined by NIST as “information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls.” Since NIST compliance usually appears as a contractual obligation for any partnering organization of a government institution, being compliant can also help you win deals.

And, if you’re looking to the future, NIST 800-171 is a great first step toward achieving CMMC certification — but more on that later.

What is NIST?

The NIST Cybersecurity Framework — or CSF — is the U.S. Government's take on cybersecurity and data protection best practices pulled from other frameworks. Compliance with the NIST CSF is required of any organization that does business with the US government, as well as many state agencies.

NIST also provides special publications like NIST 800-171. In order to achieve NIST compliance, organizations must self-assess and self-attest by performing an audit against the list of requirements found in NIST 800-171 for all aspects of their systems and networks that store or process CUI. There are eight steps for conducting a NIST 800-171 self-assessment, and compliance is scored via the 110 security requirements within the framework. Each requirement implemented represents a single-point score.

Which types of companies can benefit from achieving NIST compliance?

NIST SP 800-171 applies to organizations that process or store any unclassified, sensitive data on behalf of a government institution. Companies that can benefit from achieving NIST compliance include those that plan to contract with the US DoD, those that are currently participating in the CMMC program with the DoD, and those trying to get organized to adhere to multiple (supported) frameworks. This may include, but is not limited to:

• Service providers, consulting companies, or contractors for agencies like the General Services Administration (GSA), the Department of Defense (DoD), and the National Aeronautics and Space Administration (NASA).
• Universities or other organizations involved in research that receive federal funding.
• In some cases, vendors or sub-contractors that are part of a federal supply chain but don’t directly handle CUI.

Achieving NIST compliance prepares you for CMMC.

Being NIST compliant can help your organization with additional security frameworks like the Cybersecurity Maturity Model Certification (CMMC). The CMMC Framework is a DoD program set up to defend against cyber attacks and protect CUI that resides on contractor or subcontractor systems or networks of suppliers.

Certification is a requirement if your organization plans to contract any work with the U.S. Department of Defense. CMMC comprises three levels of certification, and each layer builds upon the level below. Organizations become certified after undergoing an audit. 

Because the CMMC uses the NIST SP 800-171 framework, maintaining ongoing and accurate NIST 800-171 compliance is a great way for DoD contractors to get started toward CMMC certification.

How Strike Graph can help you reach NIST compliance

Strike Graph can help you identify specific data points that prove your controls and map them to the 110 NIST 800-171r2 security requirements. By automatically collecting validated security evidence, we’ll help you ensure constant NIST compliance, and our evidence collection reminders will keep you on track so that annual reassessment won’t sneak up on you.

Already ISO 27001 certified? Since both NIST 800-171 and ISO 27001 cover the same areas of information security, ISO 27110 can be leveraged to integrate NIST-CSF recommendations into a comprehensive ISO 27001 ISMS, and NIST 800-171 can be mapped to the international ISO 27001 standard in key control areas.