NIST 800-171

The Department of Defense (DoD) has updated its cybersecurity standard, SP 800-171, to better protect sensitive information stored on contractors’ systems. Rev. 2 of the standard, released in 2020, expands the previous requirements and provides additional guidelines to help organizations protect their data. In this article, we will explore the key changes and updates in SP 800-171 Rev. 2, the implications for defense contractors, and the steps organizations can take to meet the standard’s requirements.

What is SP 800-171 Rev. 2?

SP 800-171 is a set of cybersecurity requirements developed by the National Institute of Standards and Technology (NIST) for safeguarding controlled unclassified information (CUI) stored on non-federal information systems. The standard was first released in 2015 and was updated in 2020 to align with NIST’s Cybersecurity Framework (CSF) and address evolving threats.

The purpose of SP 800-171 Rev. 2 is to ensure that organizations have the necessary measures in place to protect sensitive information stored on their systems. This information could include technical data, export-controlled information, or sensitive government information.

Key Changes in SP 800-171 Rev. 2

The revised standard expands the previous requirements in several ways, including:

Improved alignment with the NIST Cybersecurity Framework: The new standard aligns with the NIST CSF, providing a more comprehensive and risk-based approach to cybersecurity. This means that organizations must not only implement specific technical controls but also consider their overall security posture and risk management strategies.

Enhanced security requirements: The new standard includes additional security requirements for organizations to protect sensitive information. These include requirements for secure password management, vulnerability management, and incident response.

Clarification of existing requirements: The revised standard clarifies several requirements, making it easier for organizations to understand and implement them. This includes clarifications around network security, encryption, and access control.

Implications for Defense Contractors

Defense contractors are required to comply with SP 800-171 Rev. 2 if they store, process, or transmit controlled unclassified information on their systems. The new standard expands the previous requirements, making it more challenging for organizations to meet the standard’s requirements.

Organizations must assess their current security posture and determine what changes need to be made to meet the new requirements. This could include updating technical controls, improving incident response processes, and implementing additional security measures.

Meeting the Requirements of SP 800-171 Rev. 2

To meet the requirements of SP 800-171 Rev. 2, organizations must take several steps, including:

Assess their current security posture: Organizations should assess their current security posture and identify areas where they may need to make improvements. This could include updating technical controls, improving incident response processes, and implementing additional security measures.

Develop a plan to implement the standard: Organizations should develop a plan to implement the standard, taking into account their unique security needs and resources. This plan should include a timeline, budget, and clear goals.

Implement the standard: Organizations should implement the security measures outlined in the standard, including technical controls, incident response processes, and security policies.

Monitor and review: Organizations should regularly monitor and review their security posture to ensure they are meeting the requirements of the standard. This includes conducting regular assessments, testing incident response processes, and updating security measures as needed.

In conclusion, SP 800-171 Rev. 2 is an important revision to the original standard that was released in 2015. This new version of the standard aims to provide a comprehensive cybersecurity framework for defense contractors to ensure the protection of sensitive information. It covers various aspects of information security, such as access control, incident response, and system security, among others. Adherence to the SP 800-171 Rev. 2 standard is essential for all defense contractors who deal with controlled unclassified information, as failure to comply can result in significant consequences, such as financial penalties and loss of business. Compliance with this standard is a crucial step towards ensuring the security of sensitive information and safeguarding national security. Contractors who are yet to adopt the revised standard are encouraged to take the necessary steps towards compliance as soon as possible.

Ways We Can Help You

Contact us to receive assistance in navigating cybersecurity risks and information compliance for your company. Here are some additional ways we can help:

  • Schedule a free discovery session with us during which we can learn about your company, answer your questions, and assist you in determining if Cleared Systems is the right fit for you.

  • Register for our upcoming cybersecurity and information compliance training.

  • Purchase our books on CMMC 2.0, CUI, Data Breaches, and ITAR.

  • Join our weekly free webinar sessions to ask questions and learn about the latest developments in cybersecurity and information compliance.

Author Profile

Carl B. Johnson, President of Cleared Systems, is a highly experienced and a ITAR, CMMC 2.0, Microsoft GCC High, and Microsoft DLP/AIP consultant. With over twenty years of experience in information assurance, cybersecurity, policy development, risk management, and regulatory compliance, he brings a wealth of knowledge and expertise to his clients.

Leave a Reply

Your email address will not be published. Required fields are marked *


Have questions about compliance or cybersecurity?

Schedule a free call with our experts now and get your questions answered!