NIST 800-171 vs NIST 800-53: Big Differences

By Heather Engel, EVP Risk Management

When evaluating your compliance with Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 and related clauses, or Federal Acquisition Regulations (FAR) Ruling 52.204-21, it’s important to understand the differences between the various National Institute of Standards and Technology (NIST) publications (https://www.nist.gov/publications). We’ll try to simplify it as much as possible, but if you do business with the government, check your contracts carefully — it’s likely you will need to be able to prove compliance with these cyber standards.

First, NIST SP 800-53 has been around for a number of years. It’s currently on Revision 4. As the title implies (Security and Privacy Controls for Federal Information Systems and Organizations), this publication is intended as a comprehensive guide to securing FEDERAL information systems. If you are a defense contractor trying to comply with acquisition regulations, your internal systems are not federal information systems. Many contractors operate federal information systems on behalf of the government, so in that situation NIST 800-53 may apply. We’ve worked with commercial organizations who did not operate any federal systems but have had 800-53 compliance written into their contracts, so it’s important to read the clauses and understand your responsibilities.

NIST SP 800-53 may also apply if you provide or would like to provide cloud services to the Federal Government. In this case, products are evaluated under the FedRAMP program (https://www.fedramp.gov/) using tailored 800-53 controls. NIST 800-53 is a 462-page document, so tailoring, evaluating and validating all the controls is onerous to say the least. Make sure that this is the best choice for your situation and that you know what various contracts require. Older versions of the DFARS clause required compliance with a subset of NIST 800-53 controls; this is no longer acceptable for complying with 252.204-7012.

NIST SP 800-171 was designed specifically for NON-FEDERAL information systems — those in use to support private enterprises. Revisions to the DFARS clause in August 2015 made this publication mandatory for defense contractors who have the DFARS 252.204-7012 clause in any contract. This document is a streamlined version of NIST 800-53. The NIST 800-171 document was recently updated to Revision 1 and includes some provisions that may take time to implement, including two-factor authentication, encryption, and monitoring.

Remember, December 31, 2017 is the deadline for compliance. Don’t wait to begin evaluating and documenting your compliance posture. If you’re not sure where to start, we can help. Check out our resources, including a free webinar at https://sera-brynn.com/dfars-information-webinar/

About Sera-Brynn:

Sera-Brynn is a Global Top 10 Cybersecurity firm headquartered in Hampton Roads, Virginia. We are a team of certified compliance auditors, security engineers, computer forensics examiners, security consultants, security researchers, and trainers with in-depth expertise and decades of experience. Many of us come from the national intelligence and military information security community where we designed, protected, and countered threats to the most complex and sensitive network infrastructures in the world. We apply those skills, tactics and techniques to the benefit of our global private sector clientele.

Sera-Brynn’s clients include Fortune 500 companies, global technology enterprises, DoD contractors, state and local governments, transnational financial services institutions, large healthcare organizations, law firms, Captives and Risk Retention Groups, higher education, international joint ventures, insurance carriers and re-insurers, national-level non-profits, and mid-market retail merchants, all of whom rely on Sera-Brynn as a trusted advisor and extension of their information technology team.