NIST 800-171 defines how to protect data, information and materials. NIST 800-171 was originally adopted as the minimum standards required to meet for compliance to the Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity clause.  The DFARS cybersecurity clause impacts all Department of Defense (DoD) contractors, both prime and subcontractors. Though NIST 800-171 is the standard adopted by the DoD, its use goes far beyond DoD contractors—to all federal contractors and even to all businesses and manufacturers.

The set of standards is officially named the National Institute of Standards and Technology Special Publication 800-171. It targets the protection of Controlled Unclassified Information in Non-Federal Information Systems and Organizations. So, what does that mean?

Controlled Unclassified Information (CUI) is any information that is not deemed “classified” but used while working on a federally funded project.  This can be any data or information that you research, discover, or otherwise put to use while working on a federally funded project. Even though this information may not be classified, it is still an asset to be protected.

The standards within NIST 800-171 provide guidance to all businesses and manufacturers who are seeking guidance and direction in how to address cybersecurity issues. The protections that these standards put in place help protect all assets not just CUI.

The standards contained in NIST 800-171 are divided into 14 families. These families are:

  1. Access Control-This area addresses who you authorize to view/access to your assets.
  2. Awareness and Training-This area looks into how employees, contractors or others on your site/network, are educated on your cybersecurity policy and procedures.
  3. Audit and Accountability-This area goes into your record keeping of access to your systems and ability to identify violations.
  4. Configuration Management-This area covers your existing network protocols and safety procedures.
  5. Identification and Authentication-This area goes beyond Access Control to look in detail at how authorized users are verified before gaining access to the systems.
  6. Incident Response-This area addresses your processes that are triggered when a cybersecurity threat or breach occurs.
  7. Maintenance-This area looks at your maintenance turnaround time and responsible staff.
  8. Media Protection-This area goes over how you backup and store information as well as who has access to backups.
  9. Physical Protection-This area delves into who has physical access to your equipment and storage.
  10. Personnel Security-This area addresses any screening process you have in place for employees, contractors, and others who access your systems.
  11. Risk Assessment-This area goes over your proactive testing of systems and processes.
  12. Security Assessment-This area addressed the effectiveness of your processes and procedures.
  13. System and Communications Protection-This area looks at your ability to monitor the exchange of information within your systems.
  14. System and Information Integrity-This area looks at how fast your turnaround time is for detected threats.


NIST 800-171 compliance can help you showcase your cybersecurity preparedness for working within your supply chain or on a federal contract. The DoD has already made NIST 800-171 compliance a requirement. Other federal agencies are expected to follow. Even if you are not a federal contractor or sub-contractor, use NIST 800-171 to help get ahead of the competition and solidify your spot in the supply chain!


Katherine Bennett

Katherine Bennett leads the Instructional Design team for NCMEP partner NC State Industry Expansion Solutions. She also serves as project manager for instructional design services. Katherine plays a key leadership role in supporting the IES goal of providing instructional design and development expertise that complements the field-specific expertise of IES partners, while meeting the learning needs of target audiences. Katherine holds a bachelor’s degree in Computer Science from the University of North Carolina at Charlotte and a master’s degree in Instructional Technology from East Carolina University.