<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

Thought Leadership

Small Defense Contractors: Get Ready to Meet New NIST Standards


Just about all defense contractors are smaller organizations than the U.S. Department of Defense, and very few are well versed in the often obscure terms and acronyms used by it.

At the same time, all defense contractors must be compliant with the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) by Dec. 31, 2017 which describes what they must do to protect covered defense information (CDI) and controlled unclassified information (CUI) that may pass through their IT systems as a result of the activities they conduct in support of the various DoD departments and agencies.

Few civilian organizations are as prepared as they should be at this point for the level of specificity and the compliance requirements that military agencies see as standard. NIST SP 800-171 helps these organizations comply so that they aren’t prevented from doing business with the military.

It maximizes the protection afforded to CDI and CUI to prevent it from falling into the wrong hands.

Here are a few key ways in which defense contractors (especially smaller defense contractors), can properly prepare themselves to achieve full compliance with NIST SP 800-171, a 76-page document that can be accessed on NIST’s website.


Small Defense Contractors – How to Approach Meeting NIST SP 800-171 Requirements

Defense contractors who achieved compliance with the 2013 Safeguarding of Unclassified Controlled Technical Information DFARS clause might approach meeting the requirements of NIST SP 800-171 by making simple policy and/or process changes or adjusting the configuration of existing IT. NIST SP 800-171 was written using performance-based requirements that wouldn’t require acquisition of additional IT hardware or software, but rather policy and procedural changes.

The FAQ states, “Most requirements in NIST SP 800-171 are about policy, process, and configuring IT securely, while others require security-related software (such as anti-virus) or additional hardware (e.g., firewall).”

It is also important to remain focused on the core purpose of the publication, which is to insure constant, proper protection of CDI and CUI when it is processed, stored, or transmitted through any of the contractor’s internal IT systems. Systems that do not participate in processing, storing, or transmitting CDI or CUI do not have to meet any requirements.

You may already have control or protective measures in place that exceed the NIST requirement, providing equal or better protection to CDI and CUI. If you feel this is the case, you have the right to submit an explanation to show that your alternative protection is appropriate, effective, and fit for purpose.


Small defense contractors who are new to these requirements should begin by thoroughly examining the policy and process changes indicated, especially those that involve IT. Assure that all IT configurations conform to the standards described. Assure that all policies and procedures involved in securing data and network meet or exceed the standards.

As you determine changes that will be required to IT systems, carefully determine which should be assigned to external expert resources to assure complete compliance.

Finally, document your strategy in a detailed, written plan of action with milestones for achievement. This will be useful in any situation where a lapse in compliance may be suggested.

A Potential Short-Cut to Compliance

Just as it has reduced workload and expense for many companies, small defense contractors may find they can literally outsource their compliance requirements by using a cloud service that meets security requirements equivalent to the Federal Risk and Authorization Management Program (FedRAMP), a moderate requirements baseline for the storage, processing, and transmission of CDI and CUI.


It is important to specify this requirement in your contract with a compliant cloud service.

Should you choose to take this route, remember that there are still segments of your own network which may play a part in the storage, processing, or transmission of CDI and CUI to and from the FedRAMP-compliant cloud service, and these must meet or exceed the requirements, too.

The last thing to remember, whether you choose to use a cloud-service or not, is that your organization still owns responsibility for protecting the covered information at all times. You must assure that your cloud-provider adheres as stated. You must assure that your systems meet or exceed requirements at all times.

Originally Posted in Fifth Domain Cyber.

George Wrenn is founder and CEO of CyberSaint Security, was formerly chief security officer at Schneider Electric. He has more than 20 years of experience in the field of cybersecurity and is a Research Affiliate in Management Science at the MIT Sloan School of Management.

You may also like

Groundbreaking Executive Dashboard ...
on February 13, 2023

BOSTON--(BUSINESS WIRE)--CyberSaint, the leader in cyber risk management, today announced the release of its Executive Dashboard. CyberSaint is first-to-market with this new ...

CyberSaint STRONGER 2023 ...
on February 2, 2023

BOSTON--(BUSINESS WIRE)--CyberSaint, the leader in cyber risk management, today announced that the company is seeking speaker submissions for its virtual STRONGER conference, set ...

CyberSaint Partners With and ...
on October 5, 2022

BOSTON--(BUSINESS WIRE)--CyberSaint, the developer of the leading platform delivering cyber risk automation, today announced its CyberStrong platform is now Powered by Snowflake. ...

Booz Allen Hamilton and CyberSaint ...
on September 7, 2022

MCLEAN, Va. & BOSTON--(BUSINESS WIRE)--Booz Allen Hamilton (NYSE: BAH) and CyberSaint today announced a strategic partnership that aligns Booz Allen’s world-class ...

CyberSaint Continues to Support ...
on July 6, 2022

BOSTON--(BUSINESS WIRE)--CyberSaint, the developer of the leading platform delivering cyber risk automation, announced the addition of CMMC 2.0, allowing customers to adopt the ...

CyberSaint Makes FAIR Model ...
on June 28, 2022

BOSTON--(BUSINESS WIRE)--CyberSaint, the developer of the leading platform delivering cyber risk automation, announced the addition of the FAIR (Factor Analysis of Information ...