top of page

Uncovering the Top 10 Compliance Gaps: Inside Look at NIST SP 800-171 Assessments by the DoD



As a defense contractor, achieving compliance with NIST SP 800-171 is crucial for protecting Controlled Unclassified Information (CUI) and securing contracts with the Department of Defense (DoD). However, recent statistics released by the DCMA Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) have shown that many companies struggle to meet certain NIST SP 800-171 practices. In this article, we'll break down the top 10 practices frequently missed during DIBCAC High Assessments assessments. So, let's dive in!


  1. 3.13.11 FIPS-validated Cryptography: This practice requires that any cryptographic solutions used by your organization are secure and meet the Federal Information Processing Standards (FIPS) standards. This can include encryption for data at rest and in transit and cryptographic key management. One solution for meeting this practice is to use FIPS-validated encryption algorithms, such as AES 256-bit encryption. Another option is to use a FIPS-validated encryption product, such as a hardware security module (HSM) or a cryptographic library.

  2. 3.5.3 Multi-factor Authentication: This practice requires that your organization implements Multi-factor Authentication (MFA) for remote access to your systems and networks. This means that users must provide more than one form of authentication, such as a password and a fingerprint or a password and a one-time code sent to a mobile device. One solution for meeting this practice is to use an MFA software or service, such as Microsoft Azure Multi-Factor Authentication or Google Authenticator. Another option is to use a hardware token, such as a Duo.

  3. 3.14.1 Identify, report, and correct system flaws: This practice requires that your organization has processes in place for identifying and reporting any flaws in your systems and networks, as well as correcting those flaws. This includes vulnerabilities, misconfigurations, and other issues that attackers could exploit. One solution for meeting this practice is to use vulnerability management software, such as Nessus or OpenVAS, to scan your systems and networks for vulnerabilities. Another option is to use a security information and event management (SIEM) solution, such as Splunk or LogRhythm, to monitor your networks for suspicious activity and anomalies.

  4. 3.11.1 Periodically access risk: This practice requires that your organization periodically assess the risks to your systems and networks, including the likelihood and impact of potential threats. This can be done through vulnerability assessments, penetration testing, and threat intelligence. Conducting regular penetration testing: Penetration testing simulates real-world attacks on an organization's systems and networks, providing a way to identify and address potential risks.

  5. 3.11.2 Scan for vulnerabilities: This practice requires that the organization regularly scan its information systems for vulnerabilities. This can be done using automated tools or manual assessments.

  6. 3.3.3 Review and update logged events - This practice requires organizations to regularly review and update their system logs to ensure that they are accurate and up-to-date. Example solutions include implementing automated log review and updating processes and regularly training employees on the importance of proper log management.

  7. 3.3.4 Audit logging process failure alerts - This practice requires organizations to have processes to detect and alert any failures in the audit logging process. Example solutions include implementing automated log monitoring and alerting tools and regularly reviewing system logs for signs of failure.

  8. Audit record review, analysis, and reporting processes - This practice requires organizations to have processes in place for reviewing, analyzing, and reporting on audit records. Example solutions include implementing automated audit analysis and reporting tools and regularly training employees on the importance of proper audit management.

  9. 3.6.3 Test incident response capability - This practice requires organizations to regularly test their incident response capabilities to ensure that they are prepared in the event of a security incident. Example solutions include conducting regular incident response drills and implementing incident response simulation and testing tools.

  10. 3.4.1 Establish/maintain baseline configuration - This practice requires organizations to establish and maintain a baseline configuration for their systems to ensure they are secure and compliant. Example solutions include implementing configuration management tools and regularly reviewing and updating system configurations to ensure they align with established baselines.

As a small defense contractor, the compliance requirements for NIST SP 800-171 can seem overwhelming, especially with the recent statistics released by the DCMA DIBCAC identifying the top 10 commonly missed practices. However, by implementing the solutions outlined in this article, you can take steps toward achieving compliance and protecting Controlled Unclassified Information (CUI). At Aspire Cyber, we understand the importance of compliance and the challenges that small defense contractors face. Our team of experts is here to help guide you through the process and ensure that your organization correctly implements the NIST SP 800-171 practices. So don't let compliance worries weigh you down. Contact us today to schedule a free consultation and take the first step toward protecting your organization.








Recent Posts

See All
bottom of page