Guide to NIST-800 Compliance

Information Security Compliance Standard to Defense Contractors / Vendors 

What is NIST-800 Compliance?

NIST stands for the National Institute of Standards and Technology. NIST-800 compliance is based on cybersecurity best practices and are designed as a framework for federal agencies and subsequent vendors requiring security measures.

NIST-800 compliance is divided into two sub-sections; 53 and 171.

NIST-800-53: FISMA

FISMA is a 462-page set of guidelines that government institutions use for privacy and security levels and privacy in their systems. The focus of FISMA is to help government organizations when they are assembling IT security protocols and strategies.

NIST-800-171: DFARS

DFARS is only 125 pages of guidelines. It covers the proper protection of Controlled Unclassified Information (CUI) when a non-federal organization is using that data on their internal systems. Only 109 controls are listed in this document, and all of them are required for compliance

Who should be NIST-800 Compliant?

Contractors to the Department of Defense

Contractors that work in or for the Department of Defense (DoD) are expected to adhere to NIST Compliance. Most contractors are only subject to -171 compliance. However, some vendors, if they provide the cloud-services for federal systems, may be subject to -53 compliance.

What does NIST-800 Compliance consist of?

NIST Compliance is organized into 14 families of security requirements ranging from training and physical security to access control and communications protection. Compliance consists of 109 points across these 14 families.

Fourteen families of security requirements

3.1 Access Control
  • Limiting the system access to authorized users and activities.
  • Employing the “least privilege” principle where if someone doesn’t need access, they don’t have it.
  • Monitor and manage sessions based on location and activity.
  • Protect wireless access with authentication and encryption.
  • Verify and limit connections to external and public systems.
3.2 Awareness and Training
  • Make employees aware of security risks associated with their activities.
3.3 Audit and Accountability
  • Create, protect, and retain system audit records.
  • Ensure records can be uniquely traced to users.
3.4 Configuration Management
  • Establish and maintain configurations for organizational and security systems.
  • Restrict, Disable, Prevent nonessential programs/functions.
  • Control and Monitor User-installed software.
3.5 Identification and Authentication
  • Authenticate users before allowing access to organizational systems.
  • Replay-resistant authentication mechanisms.
  • Password Policies: Standardize complexity and usage.
  • Cryptographically protect passwords.
  • Obscure Feedback of Authentication Information.
3.6 Incident Response
  • Incident response; Provide adequate preparation, detection, analysis, containment, recovery, and user response activities
3.7 Maintenance
  • Maintain Organizational Systems; personnel, tools, etc.
  • Wipe devices of CUI before offsite maintenance.
  • Check media for malicious code prior to use.
  • Use Multi-factor authentication.
3.8 Media Protection
  • Protect System Media (limit access, physically control, storage of CUI, Sanitize or Destroy system media before disposal)
  • Control access to media containing CUI
  • Control the use of removable media
3.9 Personnel Security
  • Screen Individuals prior to access of Org systems, and protect systems after employee transfer/termination
3.10 Physical Protection
  • Limit devices and physical access
  • Support infrastructure.
3.11 Risk Assessment
  • Scan for vulnerabilities and remediate as necessary.
3.12 Security Assessment
  • Have a plan to reduce vulnerabilities
  • Develop, Document, and Update Security Plans
3.13 System and Communications Protection
  • Protect Communications at external and internal borders
  • Promote effective information security
  • Separate user functionality from system admin functionality
  • Prevent unauthorized information transfer
  • Implement subnetworks for publicly accessible system components
  • Prevent remote devices from transferring data to external networks
  • Cryptographic Mechanisms to protect CUI during transmission
  • Terminate network connections after a period of inactivity
  • Control and Monitor: Mobile code, VoIP
  • Protect the authenticity of communication sessions and CUI at rest.
3.14 System and Information Integrity
  • Identify, report, and correct information and system flaws in a timely manner.
  • Provide protection from malicious code at appropriate locations within organizational systems.
  • Monitor system security alerts and advisories and take appropriate actions in response.
  • Update malicious code protection mechanisms when new releases are available.
  • Perform periodic scans of the organizational system and real-time scans of files from external sources as files are downloaded, opened, or executed.
  • Monitor organizational system including inbound and outbound communications traffic to detect attacks and indicators of potential attacks.
  • Identify unauthorized use of an organizational system.

What is our approach to compliance?

Compliance Audit

Our team conducts a series of interviews and a network audit to determine data access and usage.

Gap Analysis

A Gap Analysis identifies the missing pieces necessary to achieve compliance.

Remediation Plan

A remediation plan is put forth and executed with action steps towards compliance based on priority level.


ITonDemand then monitors system usage and provides the service and support to maintain compliance.

Compliance+ in Action / Florida Manufacturing Firm

A small north Florida manufactures CNC close tolerance machined parts, custom components, and assemblies for the defense sector. Given the sensitive nature of the parts being manufactured, it was vital that communications and manufacturing specifications were secure while organizational infrastructure was put in place and maintained to NIST Compliance.

Read how ITonDemand made it happen.

Contact Us

HIPAA Compliance

The Health Insurance Portability and Accountability Act or HIPAA is the standard for protecting sensitive patient data. Any company that deals with electronic protected health information or (ePHI) must have physical, network, and process security measures in place and enforce them to ensure HIPAA Compliance.

Who should be HIPAA Compliant?

Health Plans

Those using online portals should ensure XYZ blah blah blah

Health Care Clearinghouses

Businesses receiving payment via credit card

Health Care Providers

business blah


Are you Aware?

When an EMR system is deployed by a medical facility, patient data is stored in the cloud. Unless the documents are encrypted and sent directly to the cloud server without any other system, JPEG’s and PDF’s can be stored locally in the cache, unsecured.

To remediate this, use a local on-site server in addition and implement the same security protocols to that server to prevent the breach of printable ePHI.

PCI Compliance

Secure payment systems ensure your customers that you can be trusted with their payment information. PCI Compliance puts measures in place to prevent a data breach or loss of consumer financial information.

The 12 Points to meet PCI Compliance

PCI Compliance can be achieved by meeting 12 points that follow the usage, storage, and transportation of information.

SOC-2 Compliance

SOC-2 compliance is a necessary security 

Who should be SOC-2 Compliant?


Those using online portals should ensure XYZ blah blah blah


Businesses receiving payment via credit card

Service Providers

business blah