How to achieve NIST 800-53 and 800-171 Compliance A guide explaining the key steps to become NIST 800-53 and NIST 800-171 Compliant

How to achieve NIST 800-53 and 800-171 Compliance

Businesses wanting to obtain elusive Department of Defense (DoD) contracts must understand the importance of meeting Defense Federal Acquisition Regulation Supplement minimum cybersecurity standards. These cybersecurity standards involve processing, transmitting and storing unclassified information. Businesses doing development and research for DoD must look at the National Institute of Standards and Technology (NIST) for understanding.

The public and government officials look for accountability regarding organizations’ data and information system protection.

Requirements of Complying with NIST

The NIST is a governmental non-regulatory agency focused on developing specific guidelines that make technology and science businesses more competitive economically. NIST provides standardized information required security requirements and insight into potential directions regarding US laws. Once they understand NIST requirements and adapting their security controls to those requirements, they have met the initial step in compliance with regulations in the future.

How does NIST Special Publication 800-53 Pertain to Businesses?

NIST 800-53 provide guidelines for creating security and privacy controls and policies. The standard gives businesses a roadmap for creating IT asset assessments that are based on risk tolerance. This risk tolerance is based at the highest level. At the lowest level, the publication provides 10 primary activities required for creating, establishing and ensuring policies, oversight and communication. These 10 activities also defined controls, set time frames and select audit teams and requirements to store documents.

Is NIST Special Publication 800-171 Important?

Yes. NIST 800-171 informs businesses about unclassified document storage defined by regulation, government policies and information that a law regarding security controls.  The best description of NIST 800-171 is 800-53 Lite. The latter contains about 20 prescriptive controls and 800-171 includes 14 requirements. The differences and similarities between the NIST special publications assist businesses in understanding which publication applies to them.

#1. NIST Compliance Risk Management Assessment

NIST 800-171 only provides limited information on describing the process of risk assessment. NIST 800-53 provides an outline for the specific controls and supplemental guidance to help create appropriate assessments.  To understand the risk assessment process, businesses must review 800-53 to meet NIST 800-171 compliance.

It is important to note that NIST 800-171 details control baselines for risk assessment process. For instance, it doesn’t incorporate some things outline in NIST 800-53 like supply chain assessment. Also, NIST 800-53 lists specific requirements companies must provide to as assurance regarding privileged access poses and updating the vulnerability and automated trend analysis done with frequency.

#2. NIST Compliance Access

NIST 800-171 also provides companies with a high-level overview when compared to NIST 800-53.  NIST 800-171 also offers businesses a quick tutorial for NIST compliance. If businesses find themselves needing more information, they can read 800-43. This is a straightforward guideline for accessing controls in each of the special publications and the appropriate detailed levels.

For example, NIST 800-171 outlines how to separate duties from people to reduce risks of them coming together to steal information. For smaller companies, this means they need to clearly define goals of their access control. Keeping employees’ roles separate so they can’t work together to use their job access to collectively steal information. Therefore, businesses seeking to become NIST compliant should focus on accessing control capabilities to determine the type of compliance requirement they need to meet.

#3. Manage Audit Documentation

Both NIST 800-171 and 800-53 require audit programs. These are similar to the previous requirements discussed. NIST 800-171 provides a streamlined requirement. NIST 800-53 goes into depth about what companies need to know to manage audit documentation. For example, for organizations already in NIST 800-171 compliance, requirements are straightforward. They need to maintain information system audit records to provide they are in compliance with ongoing analysis, monitoring, reporting and investigation of any inappropriate or unauthorized system activities.

NIST 800-171 list about seven additional steps businesses can incorporate for better, more appropriate audit documentation. For instance, a company must have alerts to audit process fail. It must also have an audit review to for suspicious activities. For smaller businesses, NIST 800-171 provides everything they need to know about managing audit documentation. They still need to obtain NIST 800-53 for more detailed understanding on aspects such as audit processing failures regarding hardware and software errors.

Not all businesses may be required to meet detailed NIST 800-53 compliance requirements. However, they should read NIST 800-171 to supplement their understanding of their NIST 800-53 compliance needs.

How automation Helps Companies Meet NIST Compliance

Companies that provide automation assist businesses with meeting NIST compliance. These companies have gap analysis tools that provide an organization to review their current controls to better fit with NIST compliance. For instance, automation companies can easily map a current business controls to NIST 8000-171 to make ISO certified companies more likely to become NIST 800-171 certified quicker than other companies.


If you're looking for a SOC Reporting & Compliance Framework you can try ZenGRC from Reciprocity, an easy-to-use, enterprise-grade information security solution for compliance, risk management, business control tracking, testing, and enforcement. Its centralized dashboard will greatly help you to keep track of the various tasks, such as: managing audit documentation, observing program progresses, scrutinizing security opportunities, identifying control competion and more [Disclaimer: I'm working for that company].

Here's a presentation video explaining its most distinctive features:



About Ken Lynch

Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity's success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at

View all posts by Ken Lynch

Leave a Reply

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.

This site uses Akismet to reduce spam. Learn how your comment data is processed.