Don’t lose a lucrative government contact because you’re not NIST 800-171 compliant.
The thing about IT security compliance is that when you need it, you need it now. That’s why it’s essential to reach compliance before a big deal depends on it.
Traditional, one-size-doesn’t-fit-all compliance approaches are slow and expensive. And, when you’re ready to expand to CMMC or other non-government security frameworks, they leave you back at square one.
Strike Graph tailors the compliance process to your company’s unique needs and sets you up for easy expansion into other security frameworks you need to drive continued revenue growth — quickly and affordably.
Why NIST 800-171 matters?
NIST Special Publication 800-171 sets guidelines for protecting controlled unclassified information (CUI) in non-federal systems and organizations. It's essential for contractors working with the US Department of Defense (DoD) to ensure data security. Complying with NIST 800-171 is a key step in achieving Cybersecurity Maturity Model Certification (CMMC) compliance, a requirement for DoD contracts.
Strike Graph’s platform takes the headache out of NIST 800-171 compliance.
Take control of your compliance process.
Most IT security compliance companies take a checklist approach that’s the same for every company. Strike Graph’s tailored, risk-based process ensures you’re only investing energy into the areas that matter most for your organization.
Employ strategic automation.
Automating time consuming, repetitive tasks makes the compliance process faster and easier. And, for jobs that require a human touch, Strike Graph distributes responsibility across your organization, lessening the load for everyone.
Future proof your security posture.
Strike Graph’s flexible platform gets you to NIST 800-171 compliance fast and sets you up to easily build toward CMMC and any other security frameworks you need in the future.
Packed with useful features
Here’s how it works.
Achieve NIST 800-171 compliance in three easy steps.
Assign controls and collect evidence.
Achieve and maintain compliance.
Join the hundreds of companies that rely on Strike Graph for IT security compliance.
Dig into the details
Looking to become a NIST 800-171 expert? We have the answers you’re looking for.
What are NIST 800-171 controls?
NIST 800-171 has 110 controls organized across 14 control families. These control families include:
- Access control: Determines who has access to data and whether or not they’re authorized
- Audit and accountability: Ensures your staff is adequately trained on the handling of CUI
- Awareness and training: Ensures you know who’s accessing CUI and who’s responsible for what
- Configuration management: Ensures you follow guidelines to maintain secure configurations
- Identification and authentication: Allows you to manage and audit all instances of CUI access
- Incident response: Ensures you prepare a response plan for breaches of CUI data
- Maintenance: Ensures ongoing security and change management in order to safeguard CUI
- Media protection: Secures the handling of external drives, backups, and other backup equipment
- Personnel security: Ensures you train your staff to identify and prevent insider threats
- Physical and environmental protection: Ensures only authorized personnel are in physical spaces where CUI lives
- Risk assessment: Helps you develop a risk profile for CUI breaches as well as evaluate your current level of risk
- Security assessment: Audits and verifies the effectiveness of your security procedures
- System and communications protection: Secures your comms systems and channels
- System and information integrity: Addresses new vulnerabilities and system downtime
Who does NIST 800-171 apply to?
NIST SP 800-171 provides recommended requirements for protecting the confidentiality of controlled unclassified information, or CUI, for government contractors and subcontractors. Therefore, if an organization is a part of the Department of Defense (DoD), General Services Administration (GSA), National Aeronautics and Space Administration (NASA), or other federal or state agencies’ supply chain, it must implement the security requirements included in NIST SP 800-171.
What is a good NIST 800-171 score?
NIST 800-171 compliance is scored via the 110 security requirements within the framework, with each requirement implemented representing a single point score. Therefore, the highest possible score is a 110, and the lowest possible score is a -203 (the assessment is conducted on a weighted basis because some requirements have a higher impact on the security of CUI than others). A good NIST 800-171 score should be as close to 110 as possible, but this will depend on the specifics of your contract with the DoD.
How do I improve my NIST 800-171 score?
We recommend you first conduct a self-assessment — known as an internal gap assessment — before the actual NIST 800-171 assessment. This way, you can internally evaluate your implementation of the weighted NIST 800-171 requirements and strategically identify any vulnerabilities in your security infrastructure and implementation. A partner like Strike Graph can help you with this.
Is there a NIST 800-171 certification?
Yes, but this is for people who want to obtain a Certified NIST CSF LI certification, which is for those who want to be trained and certified as an expert in their “ability to implement the formal structure, governance, and policy of a robust cybersecurity framework following internationally recognized and respected NIST best practices and standards.”
Companies need to achieve NIST 800-171 compliance, which proves contractors’ ability to demonstrate their provision of adequate security to protect the covered defense information included in their defense contracts, as required by Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012. As of November 30, 2020, all DoD contractors must conduct a NIST 800-171 Basic Assessment and submit their score to the Supplier Performance Risk System (SPRS).
Is there a NIST 800-171 certification?
The cost of NIST 800-171 compliance — not certification — depends on the size and complexity of your business, as well as if your security systems are up to date. Therefore, if you’ve been proactive and kept your business security up to date over the years, you may not need to do much more — or spend much more money — to become NIST 800-171 compliant.
Additionally, other factors to consider that can affect cost include:
- The number of aspects of your business that are affected by CUI
- The available people-power to carry out the procedures
- The maturity of the computing environment
This is why it’s difficult to put a specific dollar amount on how much NIST 800-171 compliance will cost, and why you’ll see quotes from anywhere from a few thousand dollars to several hundred.
Do NIST certificates expire?
Remember, NIST doesn’t provide certification for Information Technology (IT) systems, products, or modules. However, NIST does operate a number of IT Security Validation Programs that allow vendors to use third-party, independent, private-sector, accredited testing laboratories to have their products tested.
Can’t find the answer you’re looking for? Contact our team!
Still have questions?
We’d love to give you a test drive.
We’d love to give you a peek at how we help our clients achieve NIST 800-171 compliance. Request a demo below and one of our IT security experts will be in touch!