Overview of NIST SP 800-171


The protection of Controlled Unclassified Information (CUI) while residing in non-federal information systems and organizations is of significant importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations. Therefore, based on Executive Order 13556, the U.S. government has defined new security requirements through two new contract clauses: DFAR 242.204-7012 and FAR 52.204-21.

These clauses outline the information security requirements placed on non-federal entities (i.e., government contractors and/or subcontractors) that possess and process sensitive data, known as Controlled Unclassified Information (CUI), while under contract with the U.S. government. NIST Special Publication 800-171 describes the IT security controls the government expects to be used when a contractor is processing federal data.

This guide covers information specific to the requirement for multi-factor authentication that must be used for local and network access to privileged accounts and for network access to non-privileged accounts.

Compliance with NIST SP 800-171 is required by December 31, 2017.

In addition to the requirement for multi-factor authentication, the following is applicable:

  • For all contracts awarded prior to October 1, 2017, the contractor is required to notify the DoD Chief Information Officer (CIO) via email within thirty (30) days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award.
  • Further, NIST SP 800-171 states that in order to report cyber incidents, the contractor or subcontractor shall have or acquire a DoD-approved medium assurance digital certificate to report cyber incidents. The IdenTrust ECA Medium Token Assurance certificate meets this requirement.


Failure to comply with NIST SP 800-171 may result in a loss of government contracts.

The Requirements


Both DFAR 242.204-7012 - Safeguarding Covered Defense Information and Cyber Incident Reporting and FAR 52.204.21 – Basic Safeguarding of Covered Contractor Information Systems, essentially contain the same definitions and include similar clauses. The key definitions include:

  • “Covered contractor information systems” are subject to the security requirements of NIST SP 800-171. These systems are unclassified information systems that are owned or operated by or for a contractor and that process, store or transmit covered defense information.
  • “Covered defense information” means unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations and government-wide policies.
  • “Information system” means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of information.

One important aspect of compliance with NIST SP 800-171 is controlling access to systems and information. Security requirement 3.5.3 states that multi-factor authentication must be used for local and network access to privileged accounts and for network access to non-privileged accounts. In addition, the requirement is to use FIPS-validated cryptography; this means that the cryptographic module must have been tested and validated to meet FIPS 140-1 or 140-2 requirements. The software and/or hardware used to implement the algorithm must be separately validated under FIPS 140.