NIST Cyber Security Regulations for Global / SFC Valve Vendors

What is NIST SP 800-171?

NIST SP 800-171 is a special publication created by the National Institute of Standards and Technology (NIST) that outlines the security controls for controlled unclassified information (CUI) or covered defense information (CDI) for Non-Federal Information Systems. The due date for either the implementation of all of the listed security controls OR the identification and documentation of the controls which your organization has yet to implement is December 31st, 2017.


Why was NIST SP 800-171 created?

This framework is designed to provide guidance to contractors and sub-contractors that possess CUI to aid in protecting data and reducing or eliminating security incidents from occurring. The NIST 800-171 framework was developed from NIST SP 800-53 publications which outlines the security requirements for Federal information systems.


What is CUI/CDI?

CUI/CDI is information provided to the contractor by or on behalf of the DoD in connection with the performance of the contract; or collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract. CUI/CDI also falls in any of the following categories:

  • Controlled technical Information
  • Critical information: Specific facts identified through the Operations Security process about friendly intentions, capabilities, and activates vitally needed by adversaries for them to plan and act effectively so as to guarantee failure or unacceptable consequences for friendly mission accomplishment (part of Operations Security process).
  • Export Control: Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. To include dual use items; items identified in export administration regulations, international traffic in arms regulations and munitions list; license application’ and sensitive nuclear technology information.
  • Any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations and Government wide policies (e.g., privacy, proprietary business information.

Click here to see the full list of information types that are categorized as CUI

What are the security requirements to comply with NIST SP 800-171?

There are 14 security families with a total of 109 controls and another control for creating and maintaining an Information Systems Security Plan (ISSP). It’s very important to read the NIST document in its entirety.

  1. Access Controls
  2. Awareness and Training
  3. Audit and Accountability
  4. Configuration Management
  5. Identification and Authentication
  6. Incident Response
  7. Maintenance
  8. Media Protection
  9. Physical Protection
  10. Personnel Security
  11. Risk Assessment
  12. Security Assessment
  13. System and Communications Protection
  14. System and Information Integrity

Global / SFC Valve Resources

Global / SFC Valve NIST Cyber Security Resources

Useful External Resources

Protecting Controlled Unclassified Information on Non-federal Information Systems and Organizations NIST Special Publication 800-171r1

Assessing Security and Privacy Controls in Federal Information Systems and Organizations NIST Special Publication 800-53r4

Guide for Developing Security Plans for Federal Information System, NIST Special Publication 800-18

Final CUI Rule Requires Contractors to Adopt Uniform Treatment of Confidential Information

Understanding NIST SP 800-171: Details About DFARS Compliance