Smithers has been around for almost a century, and we are a proud provider of testing, consulting information and compliance services globally. We know standards and certifications and work with companies to help them ensure that they are in total compliance with all regulations regarding their business — including NIST SP 800-171.

If you are doing business (or planning to do business) with the Federal government, you need NIST 800-171 certification. This code applies to anyone who processes, stores or transmits controlled unclassified information (CUI). Certifying that you are NIST 800-171 compliant guarantees the safety and security of the data from cybercriminals.

Suppose you're planning to submit a request for proposal (RFP) to the Department of Defense (DoD) or General Services Administration (GSA). In that case, the contract you sign when submitting your RFP confirms that your company is NIST 800-171 compliant. Read on to find out more about NIST 800-171 certification and why it is so important.

What Is NIST 800-171?

NIST stands for the National Institute of Standards and Technology. NIST created the code 800-171 to ensure that companies doing business with the state or federal government protect the CUI and other data stored on computers that are not held on government property. Both contractors and sub-contractors need to abide by the security measures requested by this NIST 800-171 standard.

NIST 800-171 Checklist

You may be wondering where you get started to ensure that you are NIST 800-171 compliant. Here is a NIST 800-171 checklist with factors that you will need to consider when getting started:

• Access Control: Who should have access? Who does have access?
• Awareness and training: Do all staff members know how to handle CUI?
• Audit and accountability: Who's regularly accessing the CUI, and are you logging unauthorized access?
• Configuration management: Are you securing configurations and managing changes by following Risk Management Framework (RMF) guidelines? Do you have a baseline by which to control system changes?
• Identification and authentication: Do you manage and verify all users and devices on your network?
• Incident response: What's the plan if there's a breach of your data?
• Maintenance: How are you maintaining your configurations and adjusting to changes?
• Media protection: How are you keeping physical and digital media secure?
• Physical protection: How are you protecting against physical damage to hardware and software, including backups and external drives?
• Personnel security: Have you accounted for threats that may originate internally, such as those from disgruntled personnel?
• Risk assessment: Have you assessed potentially vulnerable systems?
• Security assessment: What method do you use to verify that your security measures are active and up-to-date?
• System and communication protection: Do you identify and encrypt communications that flow across your networks and systems?
• System and information integrity: Do you have processes in place to deal with vulnerabilities once identified?

Frequently Asked Questions about NIST SP 800-171

Is It Possible To Get Federal or State Contracts Without NIST 800-171 Compliance?

No, it isn't possible to get contracts without NIST 800-171 compliance. When you submit your RFP, you are confirming that you already have certification in place.

How Is CUI Defined?

Controlled unclassified information is any sensitive yet unregulated material found in paper files, blueprints, proprietary information, email attachments, emails, electronic files and more.

How Do I Get NIST 800-171 Certification?

Our cybersecurity services team can work with you to make sure you cover your bases and are in total compliance with NIST SP 800-171 so you can continue to work with state and federal government agencies without interruption.

Let Smithers Help Your Business Get NIST SP 800-171 Certified

NIST 800-171 Certification: Related Resources