NIST 800-171 applies to most manufacturing companies working with the Department of Defense supply chain. If you receive Controlled Unclassified Information (CUI) or Federal Contract Information (FCI), you must implement 110 required security controls. In our experience, 7 out of 10 manufacturers handling defense-related drawings or specs are unknowingly in scope. Compliance gaps often surface only after a failed bid or contract delay — when fixes are most expensive.
What Is NIST 800-171?
NIST 800-171 is a federal cybersecurity standard required for non-federal systems that process CUI.
It covers:
- Access controls
- Incident response
- Logging and monitoring
- Encryption
- System configuration
It is the foundation of CMMC Level 2.
What Counts as FCI vs CUI?
FCI examples:
- Contract numbers
- Delivery schedules
- Procurement details
CUI examples:
- Engineering drawings
- CAD files
- Technical specs
- Controlled emails
CUI often resides in:
- ERP systems
- File shares
- Cloud storage
- Email inboxes
How Manufacturers Accidentally Fall In Scope
- Subcontractor flow-down clauses
- Shared vendor portals
- Prime contractors assuming compliance
- Lack of data segmentation
“We only build parts” does not remove compliance responsibility.
How to Determine If You’re In Scope
Answer these 5 questions:
- Do you work with DoD primes?
- Do you receive drawings or technical files?
- Where is that data stored?
- Who has access?
- Is it segmented?
If you answer yes to 2 or more, NIST 800-171 likely applies.
Example
A 55-employee machine shop believed they were out of scope. A review found CUI stored in shared email and local file servers. After an 8-month remediation project, they became compliant and preserved eligibility for aerospace subcontracting.
Why Ideal Tech
- Manufacturing-focused compliance expertise
- Deep understanding of OT/IT separation
- Local, hands-on compliance support
