FAQs – DFARS/NIST 800-171 Compliance Program

External Resource:
Office of the Under Secretary of Defense for Acquisition, Technology and Logistics
“Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018); Frequently Asked Questions” Click here or graphic below.

Frequently Asked Questions for Georgia Tech

What is DFARS?
DFARS – Defense Federal Acquisition Regulation Supplement. A supplement to the FAR that provides DoD-specific acquisition regulations that DoD government acquisition officials – and those contractors doing business with DoD – must follow in the procurement process for goods and services.

What is NIST 800-171?

NIST Special Publication 800-171 – Protection Controlled Unclassified Information in Nonfederal Information Systems and Organizations (NIST 800-171)

The purpose of this NIST publication is to provide guidance for federal agencies to ensure that certain types of federal information is protected when processed, stored, and used in non-federal information systems.
NIST 800-171 applies to Controlled Unclassified Information (also called CUI) shared by the federal government with a nonfederal entity.
Designed to protect CUI in nonfederal IT systems from unauthorized disclosure. There are 14 families of security requirements outlined in NIST 800-171, comprising 109 individual controls.
Replaces the jumbled patchwork of existing agency rules.

What is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information (CUI) at Georgia Tech can include, but is not limited to,:

Federally funded research
Health information
Student records
Visa records

Where can I Access the Federal Controlled Unclassified Information Registry?

https://www.archives.gov/cui/registry/category-list

Why is this important to Georgia Tech?

Georgia Tech has a number of research contracts from various sources at any one time, representing a sizable financial funding source to the research community. As competition for future research funding increases, those universities with an existing NIST 800-171 compliance program can leverage that advantage into more contracts. Consequently, a failure to meet existing compliance requirements may result in contract termination and the loss of contract funds.

How do I get a background screening?

Please go to this page on sites.gatech.edu/cui.

Who should I contact for more information?

For additional information, contact compliance@security.gatech.edu.