NIST 800-171 Service

Full compliance for the DoD and U.S. government.

Increased security and peace of mind for you.

(DFARS Clause 252.204-7012)


U.S. government enforcement of the NIST SP 800-171 cybersecurity guidelines is happening now. If your company is part of the U.S. government manufacturing supply chain, contact us for an immediate assessment now.



Most small to medium-sized commercial companies face constant challenges simply to maintain their information technology and networking systems. This is especially true for firms in the U.S. government manufacturing supply chain, as recent information security compliance requirements can adversely affect their profitability as well as status.

Equally important, commercial supply chain organizations are also required to adhere to these new guidelines. It is no longer enforceable for federal contractors alone. Other key changes include:

  • All contractors awarded contracts to provide products or services that require the use of Controlled Unclassified Information (CUI) are ordered to comply with DFARS Clause 252.204-7012
  • Over 100 controls must now be addressed, as well as the cyber security posture of the supplier’s network or system across the 14 security domains defined in NIST SP 800-171
  • The obligation of proof is now placed on the supplier, and their entire supply chain
  • Failure to comply will result in a Corrective Action Report (CAR), loss of contract or potential legal actions


Manufacturing firms who want to remain as a trusted U.S. government supplier must ensure their company — and their entire supply chain — meet the following minimum requirements for DFARS Clause 252.204-7012:

  1. Self-Attestation of the contract obligations for compliance (attesting to compliance)
  2. System Security Plan with the following provable elements (updated periodically):
    • System Boundaries: Identify the network map, connections and segmentations initially and through the life of the contract
    • System Environments of Operations: Operating Environment where CUI is stored
    • How the security requirements are implemented: Policy, actual evidence and proof of the security requirements as active in real time
    • Relationships or connections with other systems: Real-time situational awareness of all connections and system profile information
  3. Plan of Action and Milestones: Detailed plan of cyber gaps and necessary remediations, regularly updated to show continuous improvements
  4. Incident Response Plan: An approved process defined by the DoD for reporting incidents within 72 hours of the event on a non-negotiable basis
  5. Proof of cyber resiliency, such as implemented “adequate” cybersecurity controls, cyber event monitoring and processes. Failure to provide proof if requested may lead to the loss of federal contracts


With our decades of expertise as a key cybersecurity partner to the U.S. government, Cytellix understands the requirements and context of the new guidelines in detail. We are actively working with firms of all sizes and industries to ensure compliance in the safest, most direct and cost effective manner. Our core methodology includes:


  • Cybersecurity Assessments
  • Device Profiling
  • Network Leak Detection
  • Vulnerability Management
  • Real-time Cybersecurity Managed Services (SaaS)


  • Real-time Situational Awareness
  • Complete Visibility
  • Cyber Analytics
  • Vulnerability Management
  • Security Information and Event Management


Cytellix is available to provide a detailed assessment at no charge. Our goal is to ensure you are fully aware of the steps required to stay compliant and cyber prepared, and provide a plan of action that will minimize time or cost disruption. Contact us to learn more and arrange an assessment at your convenience.

Contact Us