DFARS NIST 800 171 Compliance Deadline


The DFARS NIST 800 171 Compliance deadline is December 31, 2017. Below are the recommended controls that are required to ensure the confidentiality of CUI and NIST Compliance based on SP 800-171:

  • Access Control
  • Audit and Accountability
  • Awareness and Training
  • Configuration Management
  • Identification and Authentication
  • Incident Response
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Risk Assessment
  • Security Assessment & Authorization
  • System and Communications Protection
  • Three exceptions include: (i) CP-9 from the contingency planning family; (ii) a requirement to develop and implement a system security plan (derived from PL-2) from the planning family; and (iii) a requirement to implement system security engineering principles (derived from SA-8).

To ensure that security control deployments provide protection sufficient to address emerging threats, organizations are strongly advised to review the complete listing of SP 800-171 controls and compare it to their individual Security Plans. Contractors have to go the extra mile and implement nonfederal organization (NFO) controls. These controls are expected to be routinely satisfied by nonfederal organizations without specification. The government assumes that the contractor has policies, procedures, and security Plans in place that are the fundamental building blocks for a mature security program. For example, an incident response plan is required in order to meet the 72-hour window for reporting cyber Security incidents. However, the incident response plan control (IR-08) is listed as an NFO control.