NIST 800-171 provides a set of guidelines that outline the processes and procedures that companies need to implement to safeguard this information. NIST 800-171 provides guidance as to how CUI should be accessed, shared, and stored in a secure fashion.

Companies that work with DoD contracts, whether a prime or subprime contractor, are required to comply with minimum standards for cybersecurity developed by governing bodies like the National Institute of Standards and Technology (NIST) before they can handle classified or controlled but unclassified information (CUI). 

NIST Special Publication 800-53 and NIST Special Publication 800-171 are two common mandates with which companies working within the federal supply chain may need to comply.

To be eligible to participate in federal contracts, subcontractors provide evidence of compliance with NIST 800-171 to the subcontractor or prime they are working with, not directly to the government. NIST 800-171 covers the protection of "Controlled Unclassified Information" (CUI) defined as information created by the government, or an entity of behalf of the government, that is unclassified, but needs safeguarding.


Yep. NIST and CMMC Certification will both be required in the near future. 

For many companies, especially small ones not directly doing business with the government, NIST 800-171 may be your first exposure to compliance mandates set by the federal government, whereas prime contractors working directly with the government have long been accustomed to compliance mandates to which they must abide such as NIST SP 800-53.


The NIST 800-53 publication is a comprehensive guide to securing federal information systems. In general, DoD prime contractors (and not subcontractors working for primes) need to comply with NIST 800-53 if they operate federal information systems on behalf of the government (or if the requirement for NIST 800-53 compliance is included in their federal contracts).


For contracts that require NIST 800-171 compliance, all subcontractors working within the federal supply chain must meet compliance, whether they are subcontractors working for a prime or subcontractors working for another subcontractor.

Here is how you can comply with NIST Mandates

You can meet compliance with NIST 800-171 using any of the following methods:

  1. Hire an outside vendor to perform a NIST 800-171 assessment - Partner with Applied

  2. Perform your own self-assessment and self-attestation.

  3. Hybrid of the two methods.

Self Assessment can be tricky. See why DIY compliance is risky.