President Obama issued Executive Order (EO) 13556, Controlled Unclassified Information, on 04 November 2010.
It was this EO that laid the groundwork for NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”
As of December 2015 (23 months ago), DFARS 225.204-7012 required DoD contractors to implement NIST 800-171 “as soon as practical, but not later than December 31, 2017”. This deadline is now 30 days away, and many contractors are not complaint. What is worse, is that many have not taken steps to comply, putting their business at risk.
There is a lot of debate over what is and what is not Controlled Unclassified Information (CUI), and many small businesses think they do not have to comply because they are subcontractors, or they think they don’t hold any CUI. However, the problem is that the big, multi-billion dollar DoD prime contractors (you know who they are) are not taking ANY chances with NIST 800-171 at all, because billions of dollars are at stake.
Here is the bottom line – if you have a Commercial and Government Entity Code (CAGE Code), https://www.fsd.gov/fsd-gov/answer.do?sysparm_number=kb0011119 and you fall anywhere within the DoD supply chain (whether its materials or labor), you need to comply with NIST 800-171. If your business is not compliant by December 31, 2017, the prime contractors will just remove you from their list of suppliers.
Sadly, it is well known in the InfoSec community that 800-171 is going to convert countless formerly thriving small businesses into corpses, when they choose not to comply.