NIST 800-171

Department of Defense contractors are under constant cyber threat from cyber criminals. In an effort to defend their work protecting FCI (Federal Contract Information) and CUI (Controlled Unclassified Data), the DOD has collaborated with the CMMC Accreditation Body (CMMC-AB) to create a third party assessment program.

Our staff has been fully trained and certified as Registered Practitioners.

Brea Networks provides Gap Analysis, Provisional Assessment, and Remediation to its government defense contractor clients in relation to NIST 800-171. Brea Networks is currently NIST 800-171 compliant and is a registered DIB IT Contractor organization.  Brea Networks is a shortlisted vendor that can work directly for the all DoD arm branches of the United states, prime contractors, and sub-contractors within the DIB industry.

Brea Networks breaks the NIST 800-171 compliance process down to 3 key phases. Once you have contracted Brea Networks as your NiST 800-171 3rd party consultant or RPO, Your project will be broken down as follows:

Gap Analysis

This is our discovery process. We evaluate your current security measures to determine security status and provide recommendations for best remediation options.

Provisional Assessment

This is where we review audit findings.


We commence updating systems, security practices, and policy creation.

Phase 1: Gap Analysis

We’ll walk you through the process of NIST 800-171 compliance, perform a detailed analysis of your business and systems to understand your qualifications, and provide recommendations for you to meet NIST 800-171 compliance requirements to pass your requirements.

Phase 2: Provisional Assessment

Once you receive your Gap Analysis results, you’ll next need to plan how you’re going to implement any missing security controls. These controls will include both technical and non-technical measures. This will involve multiple departments, not just IT. If your staff doesn’t have the expertise to do this, we can help. There are options to help you meet those regulations.

We will provide recommendations that will allow you to decrease the scope of compliance and reduce the coverall costs of your compliance requirements.

Phase 3: Remediation

Upon completion of NIST 800-171 compliance, the controls you put in place will need to be managed. Many companies are outsourcing security, even when they have in-house IT, because of its efficiency when bringing in all of the knowledge, skills and tools that are needed for advanced security.

Compliance with NIST 800-171 and the Defense Federal Acquisition Regulation Supplement (DFARS) is crucial for contractors and subcontractors working with the U.S. Department of Defense (DoD) and handling Controlled Unclassified Information (CUI). Here’s a general guideline to achieve compliance:


Understanding NIST 800-171
  1. Know the Requirements: NIST SP 800-171 focuses on protecting CUI in non-federal systems and organizations. It outlines 110 security requirements across 14 families of security controls.
  2. Scope Identification: Determine where CUI is stored, processed, or transmitted within your organization’s systems.
DFARS Compliance
  1. Understand DFARS Clauses: Especially 252.204-7012, which mandates cybersecurity measures and incident reporting.
  2. Assess Cybersecurity Requirements: Understand the cyber hygiene level required for your organization.
Steps to Compliance
  1. Conduct a Gap Analysis: Compare your current practices against NIST 800-171 requirements to identify gaps.
  2. Create a System Security Plan (SSP): Document how your organization meets each NIST 800-171 control. Include system boundaries, operational processes, and how security requirements are implemented.
  3. 3.Implement Security Controls: Address the 110 controls in NIST 800-171, such as access control, incident response, and system and information integrity.
  4. 4. Plan of Action & Milestones (POA&M): Develop a POA&M for unimplemented controls, documenting how and when these issues will be addressed.
  5. Regular Training and Awareness: Ensure all staff are aware of CUI requirements and cybersecurity best practices.
  6. Monitor and Maintain Compliance: Regularly review and update security measures and documentation. Stay informed about changes in NIST and DFARS requirements.
Vendor and Supply Chain Management
  1. Ensure Third-Party Compliance: Ensure that your subcontractors or third-party vendors are also compliant if they handle or access CUI.
Incident Response
  1. Develop an Incident Response Plan: Be prepared to detect, respond to, and recover from cybersecurity incidents, especially for DFARS 252.204-7012 requirements.
Documentation and Reporting
  1. Maintain Documentation: Keep detailed records of compliance efforts, including SSPs, POA&Ms, and incident response plans.
  2. Report Incidents: For DFARS compliance, promptly report cybersecurity incidents to the DoD.
External Assistance
  1. Consider Professional Assistance: Cybersecurity consultants or managed services can assist in achieving and maintaining compliance.
Regular Audits and Updates
  1. Conduct Regular Audits: Periodically review your security controls and compliance status.
  2. Stay Informed: Regulations and best practices evolve, so it’s important to stay current.
Achieving and maintaining NIST 800-171 and DFARS compliance is an ongoing process that involves continuous monitoring, updating, and educating staff. It’s not just a one-time effort but a continuous commitment to maintaining a high level of security.
Brea Networks adheres to NIST 800-171 and DFARs 252-204-7012.  Brea Networks is fully registered with the DIB to service DIB organizations.

DFARS compliance is a set of cybersecurity regulations that defense contractors and suppliers must follow in order to be awarded new DoD contracts, also known as the Defense Federal Acquisition Regulation Supplement (DFARS)

What Do I Need To Do To Be NIST 800-171 and DFARS Compliant?

  • Step 1: Calculate Your Organization’s CUI data flow, cybersecurity hygiene, policies, and procedures.
  • Step 2: Build a Remediation Plan to Safeguard against Non-Compliance POAM Plan of Action Mile Stone
  • Step 3: Implement Your Remediation Plan to Ensure Compliance.
  • Step 4: Continuously Monitor and Follow-Up.

A Plan of Action and Milestones Download (POA&M) is mandated by the Federal Information Systems Management Act of 2002 (FISMA) as a corrective action plan for tracking and planning the resolution of information security weaknesses

The security requirements in SP 800-171 Revision 2 are available in multiple data formats.

Please feel free to download in the format you need:

Questions about CMMC Compliance? Contact us Today