NIST 800-171 Compliance Deadline


Under DFARS 252.204-7012, to meet NIST SP 800-171 Compliance, a contractor must implement the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, that is in effect at the time the solicitation is issued by the Contracting Officer, or as soon as practical, but not later than December 31, 2017.

On August 16, 2016, the National Institute for Standards and Technology (NIST) released draft revisions to Special Publication (SP) 800-171 changing the NIST compliance recommendations. The most notable change involves the addition of a new standard, PL-2 (System Security Plan), which is derived from NIST’s security and privacy controls standard for federal information systems and organization (SP 800-53).  Contractors are to describe in a system security plan (SSP), how the Controlled Unclassified Information (CUI) requirements are met or how organizations plan to meet the requirements. The SSP describes the boundary of the information system; the operational environment for the system; how the security requirements are implemented; and the relationships with or connections to other systems. When requested, the SSP and any associated plans of action and milestones (POAM) for any planned implementations or mitigations should be submitted to the responsible contracting officer to demonstrate the nonfederal organization’s implementation or planned implementation of the CUI requirements.  In addition, CUI Information will only have only one level of safeguarding (i.e., moderate impact for confidentiality). This means that CUI confidentiality impact value is not lower than Moderate in accordance with Federal Information Processing Standards (FIPS) Publication 199.

National Archives and Records Administration (NARA), in its capacity as the CUI Executive Agent, plans to sponsor in 2017 a single FAR clause that will apply the requirements of the proposed federal CUI regulation and NIST Special Publication 800-171 to all Government Contractors. Until the formal process of establishing such a single FAR clause takes place, the CUI requirements in NIST Special Publication 800-171 may be referenced in federal contracts consistent with federal law and regulatory requirements.



[button size=’large’ color=’btn-orange’ link=’’ target=’_blank’ block=’0′ lightbox=’0′]CLICK HERE[/button]