NIST 800-171: Government Contractor Guidelines Protecting Controlled Unclassified Info

Federal Government Contractors must have policies and procedures written for NIST 800-171 by 12/31/2017. There has been a lot of confusion about this, leading me to have 3 separate conversations this past week alone. I hope this brief video explaining what it is, clears this up for most of you as you go to document your already existing IT best practices.

The main area of confusion for business owners and IT directors is that the NIST 800-171 is a series of guidelines and are not hard fast rules or regulations. You must take the guidelines and write your own IT internal policies to them. If you follow general IT best practices you are already doing the bulk of the guidance found in the NIST document. Missing documentation is not uncommon in small businesses. This requirement just have you put down your policies on paper. And if you find a gap that you don’t have based on the NIST 800-171, its your opportunity to plug the gap or decide its not currently required for you organization.

The hard and fast rules that IT directors and CEOs were expecting still come in the RFP, the COR, CO, or other government representative on the project that you are working on. It is at this level that you may be asked to provide supporting documentation that shows you are compliant based on YOUR OWN CORPORATE policy.

NIST is not regulatory. They do not have representatives that will verify you have document your IT information assurance and cybersecurity protocols. NIST is just the team that helps map out the overarching guidelines that you plug in your own information into. Agencies such as DOD will take NIST guidelines and turn them in regulations. So there is no need to panic. You are probably already doing everything that is required of you. Just take the time to document it and make the language sound as fancy as you want.

If you need help, let us know.

Link for NIST 800-171:

Check out my Culpeper Times article related to NIST:







Leave a Comment