We can help you understand NIST 800-171 requirements
NIST 800-171 requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, provide security protection for such components. A nonfederal information system is a system that does not meet the criteria for federal systems.
800-171 assumes that small manufacturers’ currently have IT infrastructures in places, and necessary to develop or acquires new systems to handle CUI. Most small manufacturers’ have security measures to protect their information which may also satisfy the 800-171 security requirements. A variety of potential security solutions can be included to satisfy the security requirements. There is not a single security solution, each small manufacture will need to understand the operating environment and apply the security requirements to meet their situarion. Small manufactures may not have the necessary organizational structure or resources to satisfy every security requirement. It is perfectly acceptable to apply alternative, but equally effective measures to satisfy a security requirement.
This 800-171 teaching calls for manufactures to employ compensating controls that differ from specific 800-171 guidelines but combine to meet or exceed the guidelines. This is the same legal and technical analysis the CCG has engaged in with respect too both the PCI requirements and the HIPAA guidelines. CCG’s experience enables a prompt and economic establishment of the necessary compensating controls.