NIST Special Publication 800-171

For more information about NIST visit

At Integration Technologies Group (ITG), our team of consultants and information security practitioners understand the operational and technological requirements of the latest DFARS 252.204-7012 mandate requiring compliance to NIST Special Publication 800-171 for contractors that access and process controlled unclassified information (CUI) or covered defense information (CDI).

As a Federal Contractor and valued partner, our team understands the necessity in maintaining information to technical and compliance controls. Our clients look to us for valued support to their key initiatives in the areas of information security and cyber threat.

The Defense Federal Acquisition Regulations Supplement (DFARS) are the Department of Defense’s (DOD) supplemental regulations of the Federal Acquisition Regulations (FAR). The DFARS primarily focus on DoD-wide policy, laws, deviations from FAR requirements, and DoD specific delegations of FAR requirements. Overseen by the Defense Acquisition Regulations System (DARS) Office, the primary mission is to develop and manage the guidelines and rules for acquisition in regards to services for the DOD.

The mandate for the NIST Special Publication 800-171 requirement is published in DFARS 252.204-7012, which specifically addresses “safeguarding covered defense information and cyber incident reporting”, as revised on October 21, 2016. The scope of this mandate addresses the requirement for Government contractors and subcontractors to establish and maintain safeguards (network security) that provide security in information that resides or is transmitted through contractor systems.

Driven by Executive Order 13556 (November 4, 2010), which established a CUI Program, the NIST Special Publication 800-171 (Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations) provides principle guidelines to a government-wide requirement for CUI. The publication provides key requirement guidelines to 14 key information security areas:

Access Control Awareness and Training Audit and Accountability Configuration Management Identification and Authentication Incident Response Maintenance Media ProtectionPersonnel Security Physical Protection Risk Assessment Security Assessment System and Communications Protection System and Information Integrity

Any contractor doing business with the Federal government, which handles this type of information, is required to demonstrate the security controls and be compliant to the requirements of this publication by December 31, 2017. A complete list of CUI categories can be found at the National Archives website:

ITG is knowledgeable and experienced in Information Security and Information Assurance practices, including industry quality standards such as the International Organization for Standardization’s (ISO) – ISO/IEC 27001:2013 – Information Security Management Systems. Our team is well versed with the requirements of the NIST 800-171 publication, as well as the requirements and application of information systems and security control practices.

As practitioners and consultant experts, our team brings a unique capability of technical understanding, implementation and application practice, and operational management that provides our partners with exceptional support to their mission and Federal customer mandates.

For more information about NIST visit