NIST 800-171 Compliance, PCBs, and Your Company

As technology advances, government organizations must determine how best to regulate the use of this technology in various industries. When you work in a military, aerospace, or naval sector, you know just how frequently new regulations are issued in order to keep up with the progress of technology.

Many of the most important innovations and technologies that must be managed are related to the storage, control, and communication of information. Modern technology must be able to resist acts of cyberterrorism, reduce the risk of data loss, and shield information from unauthorized access.

Relevant regulations most often come into play to hold companies to high standards of security and privacy, as well as to decrease the overall number of data breaches through incentives or penalties for noncompliance.

One of these regulations was put into effect by the National Institute of Standards and Technology, or NIST, in 2017. In this blog, we explain everything that contractors working directly with government or in adjacent fields need to know about NIST 800-171.

What Is NIST 800-171?

NIST 800-171 is a specific set of security standards applicable to controlled nonclassified information or CUI. NIST 800-171 is separate from the regulations placed on government agencies, like the Department of Defense. Instead, this set of standards applies to contractors, suppliers, and others who work with government agencies.

NIST 800-171 is designed as an extension of existing regulations regarding nonclassified online information, such as the Federal Information Security Management Act, or FISMA. NIST began to develop 800-171 in part as a response to recent data breaches affecting government agencies, like the United States Postal Service.

What Does NIST 800-171 Cover?

NIST 800-171 has 14 detailed key points of compliance designed to ensure that non-federal organizations and information systems can adequately control CUI. These key points dictate how information is protected and managed on a daily basis, how communications are secured, and how data breaches are handled.

The 800-171 key points can be summarized as four categories:

  1. Controls
  2. Management and monitoring
  3. End-user policies
  4. Security measures

The requirements in each of these categories reduce the risk that a non-federal contractor’s lack of information security will cause sensitive information to be lost or a government agency’s classified information system to be breached.

Who Is Subject to NIST 800-171 Compliance?

Many contractors mistakenly assume that they are not subject to NIST 800-171, which unfortunately can lead to noncompliance penalties. You are subject to NIST 800-171 standards if:

  • You are a tiered supplier for a government agency
  • You provide contract work for a government or military agency
  • You store or transport any CUI that falls under NIST 800-171 regulation

NIST 800-171 applies regardless of company size, affecting everyone from large manufacturers to single-person contracting businesses.

Keep in mind that some contractors have reported not receiving the formal notification that they must comply with NIST 800-171. This issue can occur due to outdated contact information, poor communication between contracting tiers, or notification delivery through an infrequently used portal such as an ordering system.

A lack of this formal NIST 800-171 notification does not make you exempt from compliance.

How Does Compliance Affect Your Company Directly?

Because NIST 800-171 has been in place since the end of 2017, many contractors assume that it is too late for them to become compliant or that their systems are compliant without any changes.

While there is no certification for NIST 800-171 compliance, a noncompliance finding could have serious consequences for your company as well as for any companies who use you as a supplier.

Noncompliance with NIST 800-171 when your business deals with CUI will result in termination of any government contracts and may prevent you from signing any future contracts. Intentional noncompliance could result in breach-of-contract lawsuits or fraud charges.

How Do Regulations Apply in PCB Development?

Printed circuit board (PCB) development is one of the types of manufacturing most affected by NIST 800-171 regulations since PCBs are used to power information, navigation, and other sensitive systems. The PCB design itself and the system specifications it’s designed for may fall under CUI when the PCB has government applications.

When choosing manufacturers of any type of information technology, especially PCBs, discuss the company’s NIST 800-171 compliance status.

If you perform services, manufacture sensitive equipment, or store data for a government industry, whether as a primary contractor or a subcontractor, you are subject to the parameters of NIST 800-171. Familiarize yourself with the information discussed above and the language of the publication to ensure you can comply fully and avoid penalties.

As you continue to move forward with your business, ensure that the companies you partner with for CUI work are NIST 800-171 compliant in order to protect your investments and your company’s future in government-adjacent fields.

When you need PCB development from a trusted and NIST 800-171–compliant engineer, trust Streamline Circuits.