<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=352585001801011&amp;ev=PageView&amp;noscript=1">
Tyler Thepsiri

By: Tyler Thepsiri on October 21, 2022

Print/Save as PDF

Does NIST 800-171 Apply To My Business?

Cybersecurity | Compliance

Business leaders have a lot on their plate. There’s the balance sheet, inventory, and IT resources to name just a few. Compliance requirements add to the mix.

So, how do you know whether compliance frameworks like NIST 800-171 apply to your business

In this article, I’ll explain NIST 800-171 and provide guidance about which organizations are affected. I’ll talk about the next step in compliance (Cybersecurity Maturity Model Certification or CMMC) and let you know what to expect

At Kelser, we partner with organizations like yours every day to keep their IT infrastructures safe, available, and efficient. We offer a full suite of managed IT solutions that keep businesses running smoothly. Having said that, we understand that managed IT is not the best option for every organization

Rather than sell you our services, we publish articles like these that contain the information business leaders like you need to make the best IT decision for their business. You see, we think it’s imperative that you have unbiased information you can use to keep your business running strong whether you work with us or not. 

We know it’s a different approach, but it has worked well for us for more than 40 years and we expect that to continue! 

What Is NIST 800-171?

Just to make sure we are all operating from the same understanding, here’s some background. 

In 2003, FISMA (the Federal Information Security Management Act) was enacted. Shortly after, the National Institute of Standards and Technology (NIST) created Special Publication 800-171 to provide a framework for protecting CUI.

What Is CUI?

CUI is unclassified information that is created or possessed by the U.S. Government or an entity on behalf of the Government that, being relevant to the interests of the United States, requires safeguarding from unauthorized disclosure.

Examples include design diagrams or technical drawings for parts to be made specifically for products to be provided to the federal government or personally identifiable information (PII) used in the performance of federal government contracts.

Who Does NIST 800-171 Apply To? 

In general terms, the standards outlined in NIST 800-171 must be met by anyone who processes, stores or transmits CUI. This includes contractors and subcontractors for the DoD, GSA or NASA, and other federal or state agencies.  

How Can I Figure Out If NIST 800-171 Applies To My Business?

We work with many manufacturing organizations. Like them, you may not be sure if you are NIST compliant or if you need to be.

If your organization does business with the government as a contractor or subcontractor, you are required to meet the guidelines outlined in NIST 800-171.  

If you aren’t sure whether this affects your business, ask yourself these questions

  • Does my organization work on federal government contracts? If so, with which agencies or departments?
  • Does my organization work with subcontractors that have direct federal contracts?   If so, with which agencies or departments?
  • Is my organization a subcontractor or supplier to an organization that contracts with the federal government
  • Does my organization produce a unique product that is part of a government contract? (If so, make sure you read and understand the terms of your contract. If you still aren’t sure, ask your customer.

If you answer yes to any of the above questions, NIST 800-171 likely applies to your organization.

On the other hand, if your organization produces a commercial, off-the shelf (COTS) product that is sold to the government and non-government entities, your business is likely not required to comply with NIST requirements, but could benefit from the cybersecurity framework NIST provides.

Not sure where to start with NIST 800-171? Click on the button below, download the free NIST 800-171 checklist and learn 5 steps you can take today to get started on your NIST 800-171 journey.

Download Your NIST 800-171 Checklist

What Happens If I Don’t Comply With NIST 800-171? 

Failure to comply could affect your ability to work with these agencies, including the termination of contracts and damaged business relationships.

Read this article to find out what you need to do to become NIST 800-171 compliant or learn six steps to say ahead of compliance.  

What’s The Next Step In Compliance? 

Cybersecurity Maturity Model Certification (CMMC) is the next step in compliance requirements for defense contractors and subcontractors. 

It is designed to provide increased assurance that U.S. Defense Industrial Base (DIB) organizations are meeting these requirements for protection of CUI and federal contract information (FCI)

We’ve explained CUI above. Wondering about FCI?  FCI is information provided by or generated under government contract that has not been or is not intended for public release.

The latest version of CMMC, known as CMMC 2.0, outlines three levels of compliance. 

If You Handle FCI:

If your company handles FCI, you will need to achieve foundational (Level 1) CMMC 2.0 certification, even if you don’t handle CUI. 

If You Handle CUI:  

Most organizations that handle CUI will require advanced (Level 2) CMMC 2.0 certification.

Learn what the CMMC 2.0 certification levels require, why it’s important to prepare now for CMMC 2.0, and concrete steps you can take. 

What’s The Bottom Line?  

In this article, we’ve defined NIST 800-171 and identified the organizations that need to achieve compliance. We’ve provided questions you can use to determine if NIST 800-171 applies to your organization. We’ve explained what can happen if you don’t comply and we’ve discussed the next step in compliance. 

Whether or not your organization is required to comply with NIST 800-171 and CMMC 2.0, both provide a comprehensive framework you can use to keep your organization’s data safe. By going beyond compliance, you can ensure that you’ve taken steps to protect the business and customer relationships you’ve worked so hard to develop

Many large organizations have a full complement of IT experts who can help them implement these frameworks. Other smaller and medium-sized organizations may have a small staff or no IT staff at all.

These initiatives will require an investment of time and IT skills. If you find your internal resources lacking in either, consider partnering with an external IT support provider.  

Kelser includes compliance as part of our overall managed IT support services. But again, we know that managed IT support isn’t the right solution for every organization

If you are considering managed IT support, read this article to find out what managed IT support includes and what it typically costs.

Already evaluating managed IT providers? We encourage you to compare several providers to see which is the best fit for your organization. Here are the important questions to ask when evaluating IT providers

We're serious about comparing several providers and we believe so strongly in comparison shopping that we’ve even done some of the work for you! Here’s one of several articles in our Learning Center that provides an honest comparison of Kelser and one of our competitors. This article compares Charles IT and Kelser.  

If you are ready to move forward in your compliance journey and want to explore whether Kelser would be a good fit, click on the button below and one of our IT experts will reach out within 24 hours (often sooner) to see explore the possibility of working together. 

Talk with a Human


About Tyler Thepsiri

With more than 10 years in the IT industry, Tyler is able to adapt quickly to almost any technological issue. He understands how systems should work, and specializes in security and compliance.

Suggested Posts

Visit Our Learning Center