800-171 Compliance

    Federal requirements for nonfederal organizations to safeguard Controlled Unclassified Information (CUI) are changing.  Many organizations that provide government services in which CUI is stored, processed, or transmitted within organizational information systems are required to adhere to these emerging requirements. To demonstrate compliance with these new CUI requirements, nonfederal organizations must ensure that security safeguards that are implemented within their information systems are commensurate with the security requirements identified in various regulations (i.e. FAR 52.204-21 and DFARS 252.204-7012) and guidance. Depending on the type of CUI (i.e. category and subcategory) that is resident within an information system, the security requirements may vary, but National Institute for Standards and Technology (NIST) Special Publication (SP) 800-171, Revision 1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, provides the minimum CUI requirements that must be met.

    The requirements described in 800-171 apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI and external providers of those systems that provide some form of security protection for components that process, store, or transmit CUI. The three (3) prerequisites that require the application of the CUI security requirements within nonfederal information systems include:

    • When CUI is resident in a nonfederal system and organization;
    • When the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency [If a nonfederal organization collects or maintains information on behalf of a federal agency or uses or operates a system on behalf of an agency, FISMA compliance may be required. Please see https://coact.com/services/saa/saa-for-federal-agencies/]; and
    • When there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by an authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the publicly-available online CUI Registry maintained by the National Archives and Records Administration (NARA).

    Many organizations that are or will be affected by these changes may underestimate the scope of the requirements and the resources needed to obtain and maintain compliance. COACT has provided security assessment and authorization services to many federal agencies and commercial organizations using various compliance frameworks. As an accredited Third Party Assessment Organization (3PAO), our Quality System and experience performing NIST 800-53 security control assessments can be leveraged to provide compliance services and help you meet these new security requirements. If you would like additional information, please read our white paper or fill out the contact form below and one of our security analysts will contact you.

    For more information on how COACT can assist you with 800-171 Compliance, please use the contact form below.

    Company Name *

    Name *

    Email Address *


    Your Message