NIST 800-171 and DFARS Readiness

Before CMMC 2.0 comes into full effect by 2025, Defense Contractors need to be compliant with the DFARS interim rule. If your organization processes, stores, or transmits sensitive government information, The Scarlett Group is here to help. Our NIST 800-171 Gap Analysis will evaluate your organization with regard to the 14 NIST 800-171 domains, providing detailed reporting on observed gaps and recommending controls to help meet DFARS cybersecurity compliance.

The DFARS Interim Rule - Required Compliance, Now

NIST 800-171 is the National Institute of Standards and Technology's Special Publication 800-171. Put simply, this document governs controlled unclassified information (CUI) commonly found within the networks of DoD contractors and vendors. This set of controls and standards define how this sensitive data should be handled, protected, monitored, and transported. If a DoD supplier is non-compliant with NIST 800-171, they will fail to be compliant with the controls outlined in DFARS clause 252.204-7012. 

The Defense Federal Acquisition Regulation Supplement (DFARS) is going to be required for a majority of defense contracts between now and 2025. The Interim Rule outlines the requirement for defense contractors to follow the outlined objectives of NIST 800-171. In our experience, a majority of defense contractors do not follow these requirements. Compliance with the interim rule is reported and posted in the Supplier Performance Risk System (SPRS). Without proper cybersecurity controls, your organization could be at risk and you may be ineligible for certain contracts.  



What is The Scarlett Group's NIST 800-171 Gap Analysis?

The objective of the NIST 800-171 gap analysis is to find the domains where your organization is not quite up to par in regard to the interim NIST 800-171's outlined controls. The Scarlett Group's consultants will then provide a detailed breakdown on areas which are lacking, leading to an overall picture of what needs to be improved. We can then provide recommended solutions and controls in order to help close the observed gaps, ensuring that your NIST 800-171 self assessment will properly meet the 110 outlined controls. The primary result of this engagement will be a complete "checklist" that defines what is needed to achieve NIST 800-171 compliance.

Without properly scoped gaps, NIST 800-171 compliance can prove to be a daunting task. Our consultants will work with your organization to help prepare for the self assessment.


Note Regarding CMMC: By the year 2025, CMMC is replacing the current DFARS and NIST 800-171 frameworks. Please visit our CMMC Readiness page for more information. 


CMMC vs DFARS vs NIST 800-171

The Scarlett Group was founded by IT Auditors with the mission of providing accurate assessments for organizations of all sizes. Our team believes that a proper understanding of the frameworks in question are vital when considering readiness services. Please see the outline below for a quick overview of the different compliance frameworks.  

CMMC 2.0

CMMC 2.0 is a new standard that sets out to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) by defining the approximate cybersecurity posture of organizations within the DoD supply chain. This new compliance framework will affect over 300,000 organizations. The CMMC standard will replace self-assessed NIST 800-171 and will be a requirement for DoD contracts by the year 2025. The image below outlines the CMMC Levels and provides a brief description of their associated practices. Sources indicate that most organizations will likely require CMMC Level 2, which aligns with NIST 800-171. The core difference is that formal auditing will begin once CMMC is active.



NIST 800-171

NIST 800-171 is a set of standards and security controls recommended by the National Institute of Standards and Technology in order to protect certain types of government data on non-federal systems. This standard was previously self-assessed, but new compliance requirements from CMMC will now require a certified auditor (C3PAO) to validate that the NIST 800-171 controls are properly implemented within an organization. 


DFARS is the defense supplement to the Federal Acquisition Regulation (FAR). In the context of IT and cybersecurity, the DFARS cyber clause DFARS 252.204-7012 is the relevant portion. This clause outlines the requirement for NIST 800-171 compliance for CUI. CMMC was developed to help accelerate and properly assess the intent behind DFARS 252.204-7012.

If you want more information on Compliance as a Service, visit this page.


Frequently Asked Questions

For all intents and purposes, CMMC is going to be the official framework that DoD contracts must comply with by 2025. Please visit our CMMC Readiness page for more information.