The laws are on the books and the auditors are starting to enforce compliance, so how can an expensive and complicated compliance requirement become much easier to obtain for defense contractors?
First, let’s understand from the table below that NIST 800-171 R1 is a subset of controls from the FedRAMP Baseline, which is a subset of controls and control enhancements from the gigantic NIST 800-53 R4 document.
NIST 800-171 R1 is simply the minimum set of controls, as adopted by the U.S. Department of Defense, required to protect controlled unclassified information (CUI) outside of the government. FedRAMP is the Federal Risk and Authorization Management Program, which is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Another simple way to say that is, “FedRAMP is US government audited secure application and data hosting”.
Since NIST 800-171 R1 is just a 38% subset of the FedRAMP control baseline and FedRAMP compliance is where the commercial hosting market is headed to satisfy the needs of hosting government data, then the easiest and often least expensive way to ensure conformity with NIST 800-171 R1 is to host your company’s applications and data in a FedRAMP-Authorized Cloud.