Do federal contractors have to comply with NIST SP 800-171?

All non-federal organizations that process, store, or transmit Controlled Unclassified Information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards. This includes direct contractors and subcontractors. Failure to comply with the DFARS can result in the loss of Department of Defense (DoD) contracts.

Are you DFARS compliant?

Currently, only DoD contractors must comply with the DFARS cybersecurity requirements, but there are plans to roll out the initiative.

This would require contractors and subcontractors working with any federal agency to comply with NIST SP 800-171, which are the security controls. A contact at NIST mentioned that by the end of 2018, the National Archives and Records Administration will make all non-federal organizations working with the federal government comply with NIST SP 800-171.

NIST SP 800-171

  • NIST SP 800-171 “Protecting Unclassified Information in Nonfederal Information Systems and Organizations” details requirements for the protection of CUI.
  • NIST SP 800-171 is a subset of the security controls found in NIST SP 800-53.


Download our free green paper to learn more about the NIST Cybersecurity Framework and how to get started on compliance.

The NIST Cybersecurity Framework is a voluntary framework for organizations to manage and mitigate cybersecurity risk based on existing standards, guidelines, and practices.