NIST SP 800-171 stemmed from the Defense Federal Acquisition Regulation System Supplement (DFARS) Case 2013-D018 “Network Penetration Reporting and Contracting for Cloud Services” that was finalized in October 2016. This standard impacts thousands of companies who sell directly to the Defense Department, and many more who sell to its suppliers.
NIST SP 800-171 required government contractors to provide “adequate security” to protect “controlled but unclassified information” (CUI) by December 31, 2017. While its main objective is to drive better cyber controls to protect CUI in non-federal systems and organizations, navigating the standard requires some understanding of its structure.