Learn the Truth About NIST Compliance in the Next 90 Seconds

NIST compliance

Are you aware of the mandatory cybersecurity DFARS compliance deadline of December 31, 2017? (See Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.”)

Cybersecurity guidelines required by the Department of Defense (DoD) are likely to have an enormous impact on the nation's approved manufacturers that received DoD contracts in 2016. As of December 31, 2017, all DoD contractors (including small businesses) must meet minimum cybersecurity requirements or risk losing DoD business. Unfortunately, many manufacturing companies are not even aware of this deadline and what they must do to become compliant.

NIST Special Publication 800-171

NIST Special Publication 800-171 covers the protection of “Controlled Unclassified Information” (CUI) defined as information created by the government, or an entity on behalf of the government, that is unclassified, but needs safeguarding. (See "NIST Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.")

NIST 800‑171 provides a set of guidelines that outline the processes and procedures that companies need to implement to safeguard this information.

Learn more about NIST SP 800-171 by downloading the white paper, "What Manufacturers Should Know About NIST 800-171."


NIST compliance


Who Needs to Comply

With cybersecurity a focal point for the DoD and all major industries, safeguarding manufacturing supply chains is becoming more important than ever.

Does your company conduct business directly, or indirectly as a tiered supplier, with the US federal government or DoD? 

Due to increased concerns about cyberattacks, any manufacturer, either an OEM or tiered supplier, contractually doing business with the DoD, General Services Administration (GSA), or NASA must be compliant with defined cybersecurity requirements as of December 31, 2017.

Unfortunately, many manufacturing companies are not even aware of this deadline and what they must do to become compliant. 

Companies that are currently working on a contract for the DoD, regardless of tier, need to be aware of the NIST compliance called out in the clauses of your contract. 

If you're a manufacturer, you need to make sure you are compliant with your federal government contract.

Read the guide to learn more about NIST 800-171 compliance.




NIST Standards

The standards are outlined in a publication from the National Institute of Standards and Technology (NIST). (See "NIST Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.") The standards fall into 14 areas with specific security requirements that must be implemented.

NIST complianceThe categories include:

  1. Access control
  2. Awareness & training
  3. Audit & accountability
  4. Configuration management
  5. Identification & authentication
  6. Incident response
  7. Maintenance
  8. Media protection
  9. Personnel security
  10. Physical protection
  11. Risk assessment
  12. Security assessment
  13. System & communications protection
  14. System & information integrity

You can learn more about these categories by downloading Corserva's recent webinar presentation, "How to Comply with NIST 800-171."


Ramifications for Non-compliance

What does this mean for you as a DoD contractor?

If a contractor does not have proof of compliance, the company risks removal from the approved DoD vendor list. The DoD Chief Information Officer must now be notified within 30 days of contract award of any security requirements not implemented at the time including cybersecurity compliance.

Don't risk loss of business. There are costs involved in becoming NIST compliant, but you may not need to spend as much as you think. Learn more in "3 Myths About NIST 800-171 and NIST Compliance."

Manufacturers need to prepare for the NIST 800-171 mandate, and you may be wondering exactly what you need to do to meet federal government cybersecurity requirements.


About NIST compliance


How to Achieve NIST Compliance

UPDATE AS OF FEBRUARY 2020: To increase the cybersecurity posture of companies operating in government supply chains, a new certification has been created, Cybersecurity Maturity Model Certification (CMMC).

The Department of Defense is planning to migrate to the new CMMC framework to enhance the cybersecurity posture of companies participating in government supply chains.

The CMMC framework will require all companies seeking compliance to work with an accredited and independent third-party organization to schedule a CMMC assessment.

Learn more in "Leveraging NIST Assessments to Become NIST Compliant."


Learn more about our NIST assessments




  • December 31, 2017


  • Protecting unclassified information that still needs safeguarding


  • All manufacturers contractually doing business with the US government as a prime contractor or as a sub for a prime contractor


  • Loss of business for non-compliance, removal from approved DoD vendor list


Learn more:


About Corserva

Corserva has been in business for over 30 years and offers a large portfolio of IT and consulting services. Our team has a very strong focus on IT security assessments, including assessments for NIST 800-171 and NIST 800-53.

Topic category:


Sean McCloat, CISSP

Sean is responsible for Corserva’s network and security operations centers, field services, sales engineering, data center operations, and professional services. He has an intense focus on delivering exceptional customer service across a wide array of client engagements. With 25+ years of national and global experience in the IT industry, Sean has real world experience at the corporate and enterprise levels of healthcare, advertising, and logistics organizations.



Questions? We've got answers.