Recent News.

How to Become NIST 800-171 Compliant

The National Institute of Standards and Technology Special Publication (NIST 800-171) is a set of security requirements necessary for working with the Department of Defense. These requirements include secure file sharing and information exchange governance, such as how you store, access, exchange, and govern sensitive information with the agency.

NIST 800-171 applies to all organizations, both federal and non-federal, that work with U.S. government systems and data. Becoming compliant with NIST 800-171 first requires an understanding of technical terms such as controlled information and information systems, and how they apply to information exchange and governance.

Woman sending email on laptop

Controlled information

NIST 800-171 categorizes controlled information into two groups: technical and unclassified.

Controlled Technical Information

Controlled Technical Information (CTI) relates to military or space applications. CTI is subject to the requirements of the National Industrial Security Program (NISPOM). The term “technical information” is further defined within DFARS 252.227-7013 to mean “recorded information, regardless of the form or method of the recording, of a scientific or technical nature”.

Examples include:

  • Research and engineering data
  • Engineering drawings and associated lists
  • Specifications
  • Standards
  • Process Sheets
  • Manuals
  • Technical Reports
  • Technical Orders
  • Catalog-item identifications
  • Data sets
  • Studies and analyses
  • Computer software executable code and source code

Controlled Unclassified Information

Controlled Unclassified Information (CUI) includes personally identifiable information, patents, financial data, court records, and any other private information not requiring a high-level security clearance to view.

Computer drive data

Under NIST 800-171 requirements, government contractors must use a covered information system. This is an unclassified information system owned and operated by or for a contractor that processes, stores, or transmits covered defense information. These systems include:

  • Email
  • FTP
  • Enterprise Content Management Platforms
  • Cloud-Based Storage Systems
  • File Sharing and Collaborative Platforms
  • Employee Endpoints (laptops, tablets, smartphones, etc.)

The deadline for implementing the information security requirements listed in NIST 800-171 has already passed. Therefore, if your organization would like to continue working with the Department of Defense, the following steps should be taken.

1. Locate
Identify systems in your network that hold CUI. This includes:

  • Local Storage
  • Cloud Storage
  • Endpoints
  • Portable Hard Drives

2. Categorize

Classify specific files that fall under the definitions of CUI. Separate them from information that does not quality(did you mean qualify?). This will provide a streamlined process for demonstrating NIST 800-171 compliance in the event of an audit.

Data on a computer screen


3. Limit

Implement access controls so only authorized employees can view, download, and share files containing CUI. Set expiration dates to files or folders containing CUI. This will help prevent access after a project is complete.

4. Encrypt

Encrypt all data, whether in transit or at rest. This adds an extra layer of security and control over all systems interacting with your data. Encrypted data enables compliance and still allows authorized users the ability to share files through email, FTP, and more secure file sharing services.

5. Monitor

Know who is accessing the CUI and how they are using it. NIST 800-171 requires contractors to ensure the actions of individual users can be uniquely traced so they can be held accountable for their actions.

6. Train

Educate employees on the fundamentals of information exchange governance and best practices. All employees must be aware of security risks associated with their day-to-day activities involving CUI.

7. Assess

Conduct a security assessment that examines all systems, environments, and information exchange procedures to assess risk.

Open phone sitting on table

NIST 800-171 is required and it is up to each contracting organization to become compliant. Failure to do so can result in termination of contract, filing of criminal fraud charges, or breach of contract lawsuit. Become NIST 800-171 compliant today!

H2L Solutions provides services in Safeguarding CDI: DFARS 252.204-7012 and NIST 800-171 to include:

  • Compliance Gap Analysis
  • Total Compliance Lifecycle Management
  • Verification and Validation
  • Cybersecurity Risk Management Plan Development
  • Compliance Strategy Development
  • And more!

Discover more about our services here.


H2L Solutions implements, tests, administers, and sustains cybersecurity solutions. We have a staff of information security professionals skilled in the development and management of cybersecurity programs. Our professionals assist our clients with multiple layers of information assurance and cybersecurity requirements.