When hearing the words NIST Compliance,  businesses not familiar with the Federal Information Security Management Act (FISMA) terminology and procedures may cringe, but they don’t have to. National Institute of Standards and Technology (NIST) compliance and data security is required for DOD contractors and sub-contractors.


Organizations working and dealing with controlled unclassified information must comply with NIST SP 800-171. As a subset of NIST 800-53, the latest NIST SP 800-171 release covers Controlled Classified Information (CUI).   


Defining NIST Compliance

Before the requirements of NIST are discussed, it is best to define compliance-related terms.

  • Controlled Unclassified Information (CUI) : CUI is sensitive information that relates to the interests of the US, but not regulated by the Federal governments. 
  • Federal Information Security Management Act (FISMA): Federal law enacted in 2002 requiring federal agencies to develop, implement and document infosec programs.
  • Categories within FISMA include: