NIST 800-171 CMMC


70% of attacks target small businesses


60% of all attacks carried out by insiders


91% of data breaches stem from phishing

01: Just the Facts

NIST 800-171 refers to National Institute of Standards and Technology Special Publication 800-171, which governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations. It is essentially a set of standards that defines how to safeguard and distribute material deemed sensitive but not classified.

NIST 800-171 was developed after FISMA (Federal Information Security Management Act) was passed in 2003, resulting in several security standards and guidelines, created in part to improve cybersecurity, especially after numerous, recent well-documented breaches, including the U.S. Postal Service and National Oceanic and Atmospheric Administration. According to the National Institute of Standards and Technology, the primary reason is “a national imperative” to ensure unclassified information, which isn’t part of federal information systems and organizations, is properly protected and consistent. This helps the federal government “successfully carry out its designated missions and business operations.”

For certain government agencies, most notably the DoD (Department of Defense), GSA (General Services Administration) and NASA (National Aeronautics and Space Administration), a revised set of rules for NIST compliances took effect on December 31, 2017, requiring anyone who works with CUI from those agencies to implement specific security measures for how they handle data and report non-compliance to the agency’s CIO. Under federal regulations, such as DFARS clause 252.204-7012, every affected company and agency is now required to assess and document their compliance in handling this info in more than a dozen areas, from the way their networks are configured; how any and all media is protected, and how employees receive access to the NIST 800-171 standard.

Prior to these requirements, every agency had a unique set of rules for data handling, safeguarding and disposing of this material. These inconsistent standards posed a challenge – and a potential security concern – when information needed to be shared, especially when multiple contractors become part of the process.

02: The Challenge:

In order to participate in the DoD acquisition process, businesses need to comply with DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which requires all Defense Industrial Base (DIB) partners to implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. This publication states, that defense contractors must protect Controlled Unclassified Information (CUI) on their nonfederal systems inside the organization.

03: The Cybernet Solution:

Cybernet has over 10+years of experience helping companies review, manage and understand compliance standards derived from NIST. Our proven staff and Security Manager tool reduces time, effort, and complexity addressing 800-171/CMMC mandate.

04: Services We Offer

  • Assessment of Current Operations for Compliance

  • Document Plan of Actions & Milestones (POA&Ms)

  • Staff Training

  • Systems Security Plan (SSP)

The Next Step

Get connected with a Cybernet team member.

Download our most recent Capability Statement.

Learn more about NIST 800-171 and who needs to follow it.

Learn more about Cybersecurity Maturity Model Certification (CMMC).