Defense contractors face a growing challenge: meeting NIST 800-171 compliance requirements while maintaining operations and keeping contracts active. The 110 security controls in NIST SP 800-171 demand technical rigor, thorough documentation, and ongoing management, which most internal teams are not resourced to handle on their own. Gaps in compliance put contract eligibility at risk and leave controlled unclassifi ed information (CUI) exposed to cyber threats.
Coalfire Federal's NIST 800-171 compliance services help you close those gaps with precision, giving your team expert-led advisory and assessment support built on nearly 20 years of federal cybersecurity experience.
What NIST 800-171 Compliance Requires of Federal Contractors
If your organization collects, stores, or transmits covered defense information (CDI) or CUI on nonfederal systems, DFARS clause 252.204-7012 requires you to implement the security controls defined in NIST SP 800-171. Both prime contractors and subcontractors must demonstrate compliance, post current assessment scores to the Supplier Performance Risk System (SPRS), and maintain a system security plan (SSP) that accurately reflects their security environment.
With CMMC 2.0 now codifying these requirements into a tiered certification model, achieving and proving NIST 800-171 compliance is no longer optional. Level 2 of CMMC directly aligns with the 110 practices in NIST SP 800-171, meaning that contractors handling CUI must pass a third-party assessment conducted by a certified C3PAO. The window to prepare is closing, and the cost of inaction is losing eligibility for DoD contracts.
Background
NIST 800-171 states that nonfederal contractors or subcontractors that collect, store, or transmit covered defense information (CDI) or controlled unclassified information (CUI) on nonfederal systems to the federal government will need to comply by December 31, 2017 or risk losing government contracts. All prime contractors and their subcontractors must comply.
The interim DFARS rule specifies all contractors and sub-contractors post a current assessment into SPRS by Nov. 30, 2020, as a prerequisite to submitting bids for new contracts or renewing existing contracts with the DoD This applies to both prime contractors and subcontractors.
DFARS clause 252.204-7008 addresses requirements for safeguarding CDI controls in government contractor systems, which include CDI and CUI. Clause 252.204-7012 addresses the expansion of safeguards to include cyber incident reporting requirements.
Certifications
Coalfire Federal Supports Your Compliance Journey.
Our Advisory and Assessments services are designed to support your organization, regardless of where you are currently on your compliance journey.
Gap analysis: Coalfire Federal’s advisory team will conduct a compliance analysis of current information systems against NIST 800-171. Findings include current compliance posture, identification and verification of organization security boundaries, system policies and procedures status, and roadmap for DFARS/NIST 800-171 compliance.
Remediation: Coalfire Federal’s advisory team will assist in the design and documentation development of the system security plan (SSP) and several closely associated supporting documents that are required to achieve DFARS compliance. Coalfire will also provide DFARS reference architecture recommendations and engineering roadmap considerations.
Assessment: Coalfire can develop and test against a DFARS security assessment plan (SAP) that includes NIST 800-171 controls. The assessment report will indicate the compliance posture with DFARS.
For more information on our support services, contact us today for a free consultation.
