Compliance with NIST 800-171 for Protecting Controlled Unclassified Information

The cost, schedule and performance of a contract have been the traditional “pillars” by which the Federal Government has evaluated contractors. However, with cyber-attacks against the Federal Government on the rise, the Department of Defense (DoD) has placed increased scrutiny on the security of data at its various contractors. This attention is being pushed down the supply chain to even the smallest subcontractors. A report on supply chain security, recently published by The MITRE Corporation1 , calls for security to be the new “fourth pillar” of acquisition planning, equal to cost, schedule and performance.

NIST Special Publication 800-171 is the standard against which contractors are being evaluated, and compliance with the framework will be the differentiator between companies that win contracts and those that do not. Compliance with the NIST framework was first required in DFARS 252.204-7012, and we are seeing the control set adopted by other government agencies, including the Transportation Security Administration and the Department of Homeland Security.

The four pillars: cost, schedule, performance, security

Tom Tollerton
Senior Manager, DHG IT Advisory

Bill Walter
Managing Director, DHG Government Contracting