NIST 800–171: Why The DoD’s New Guidance Matters to Cybersecurity

May 16, 2018

InfoSec teams know one thing for certain: nothing in the cybersecurity world is ever a constant. Security professionals must constantly keep up with new regulations like GDPR, new timelines, new threats, and even new vendor security questionnaires. Not only are InfoSec teams the ones often creating and evaluating the vendor assessments, but they also have to keep up with these monumental shifts — and they’re happening more and more frequently. Just recently, the CIS released its Version 7 Controls, which is a prioritized set of 20 actions that any organization can follow to improve its cybersecurity posture.

One major change that organizations supplying products or services to the DoD (Department of Defense) should already be aware of comes from NIST, The National Institute of Standards and Technology. NIST implements practical cybersecurity and privacy through outreach and effective application of standards and best practices necessary for the U.S. to adopt. As we’ve discussed in a previous article, NIST is the creator of one of the top 5 questionnaires that InfoSec teams and IT teams use to evaluate vendors’ security postures. And as of December 31, 2017, any organization that supplies the federal government with product, solutions or services under a Department of Defense (DoD), General Services Administration (GSA), or National Aeronautics and Space Administration (NASA) contract must comply with NIST 800–171.

What is NIST’s 800–171 Framework?

As a way to help InfoSec teams protect and control unclassified information (CUI) in nonfederal systems and organizations, NIST created the The 800–171 framework. What exactly is CUI? According to NIST, it’s considered any potentially sensitive, unclassified data that requires controls in place which define its proper safeguarding or dissemination. NIST’s publication contains 14 specific security objectives, each with a variety of unique controls, as well as mapping to NIST 800–53 and ISO 27001.

While this framework is mainly focused on companies that work under a government contract, it represents a concerted effort to improve cybersecurity at a national level and is a detailed framework with 14 areas that are important for any company looking to improve its cybersecurity posture.

The Manual Pains of Achieving NIST Compliance

If your organization has earned the trust of the Department of Defense (DoD), General Services Administration (GSA), or National Aeronautics and Space Administration (NASA), congratulations! You already know firsthand how difficult it is to go through the compliance and review process and earn the respect of these government agencies. Unfortunately, if your organization is like most, you spent days on end (if not weeks or even, in some cases, months) trying to complete the necessary 110 security requirements that NIST 800–171 lays out. The assessment process is rigorous to say the least, and for those that don’t meet the criteria? They’re no longer able to supply to these agencies, and those precious hours, weeks, and months were for naught.

While the government is of course one of the stricter bodies when it comes to security protocols, it shouldn’t be a surprise that enterprise companies that house precious customer data, PII, and other types of sensitive information also have rigorous security standards — and certainly for good reason.

But regardless of how impressive it is to achieve a strong security posture or a stamp of approval from the U.S. government, that doesn’t minimize the time and monetary investment that goes into filling out those questionnaires and assessments manually. For most organizations that supply to these government agencies, the pain is very real and very tangible. Not only is the time investment massive, but it’s much easier to lose an important file or store it in the wrong location, get hung up on a few unanswered questions, mistype or misrepresent information on accident, or miss an important deadline. With so many individuals taking part in the process, it can seem like a job all on its own, and the opportunities for mistakes (even seemingly innocent ones) can derail the entire deal. What if there was a better way that didn’t entail responding to vendor assessments manually? What if you could store documents and assessment information in a central depository where it’s available all the time, and so you could make subsequent assessments even easier and more automated?

Eliminate Manual Spreadsheets and Use Whistic For NIST 800–171

With Whistic, your InfoSec team can develop a vendor assessment response process, enabled by your Whistic Security Profile, to easily and securely respond to NIST’s 800–171 requirements. With Whistic, your team can more intelligently allocate limited resources by assigning questions to specific subject matter experts across the organization and provide due dates and reminders along the way. Whistic offers the NIST 800–171 as an intelligent, online questionnaire and provides the ability to add comments and documentation to substantiate responses. The NIST 800–171 contains just over 100 questions, and Whistic’s process makes it more efficient and more effective to respond to the questionnaire and to be confident in your company’s response, giving your organization a leg up on potential competition.

Ready to Learn More?

Check out our resources below for more third party vendor best practices and insights on how your organization can effectively approach security assessments.


Why Third Party Security is Critically Important

Request a Live Demo with a Whistic Product Specialist

information security cybersecurity vendor risk management ciso cyber risk management

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.