Navigating Cybersecurity Assurance in the Healthcare Industry – Achieving NIST SP 800-171 Compliance Under Tight Deadlines

 

Executive Summary

As federal cybersecurity requirements expand beyond traditional defense contractors, healthcare organizations increasingly face compliance obligations under NIST Special Publication (SP) 800-171. These requirements often arrive with limited guidance, compressed timelines, and high operational risk if not met.

This white paper presents a case study of how Aspis Consulting supported a small healthcare organization in successfully completing a NIST SP 800-171 self-attestation required by a federal contract and administered through the Department of Health and Human Services (HHS) to support United Network for Organ Sharing (UNOS) which operates the Organ Procurement and Transplantation Network (OPTN).

After an initial rejection of a self-assessment performed by the client and they received an extension, Aspis Consulting engaged the organization and delivered a complete, defensible compliance package including a System Security Plan (SSP), supporting policies, and clarified control narratives within three weeks. The revised submission was accepted by OPTN with no exceptions or corrective actions identified.

This case study illustrates how clear scoping, structured documentation, and practical interpretation of NIST SP 800-171 can enable successful compliance outcomes for small and mid-sized organizations.

Background: NIST SP 800-171 in a Healthcare Context

NIST SP 800-171 establishes requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems. While originally associated with Department of Defense (DoD) contractors, these requirements are increasingly incorporated into contracts and policies administered by other federal agencies and quasi-federal entities.

In this case, compliance was required under a new OPTN security policy, enforced through HHS and UNOS, as a condition of a federal contract supporting the national organ transplantation infrastructure.

Unlike traditional IT or defense environments, healthcare coordination organizations often face unique challenges, including:

• Non-obvious system boundaries
• Limited internal cybersecurity staff
• Confusion around applicability of controls
• Lack of formal compliance artifacts such as SSPs

The Client Situation

The organization involved in this engagement can be characterized as:

• Small business
• Approximately 85 employees
• Operating in a healthcare coordination role supporting federally governed programs

Prior to engaging Aspis Consulting, the organization had:

• Conducted an internal self-assessment
• Submitted control implementation statements and statuses to HHS
• Received a rejection letter from HHS
• Requested and received a submission extension

Key challenges included:

• No existing System Security Plan (SSP)
• Uncertainty about what constituted a “system” under NIST SP 800-171
• Overuse of “Not Applicable” designations for controls
• Lack of clarity regarding scope, including whether UNet (OPTN’s system) was in scope
• Limited understanding of why the original submission was rejected

Although OPTN clarified that UNet was not the in-scope system for the organization, the client still lacked a structured and defensible approach to compliance.

Engagement Objectives

Aspis Consulting was engaged to support a NIST SP 800-171 self-attestation, not a certification or third-party audit. The objectives were to:

1. Clarify the applicable system boundary and scope
2. Align control implementation statements with NIST SP 800-171 expectations
3. Develop required compliance documentation
4. Enable timely resubmission within the extension period
5. Reduce uncertainty and compliance risk

Aspis Consulting Methodology

1. System Scoping and Boundary Definition

Aspis worked closely with the client to:

• Identify the actual organizational system subject to NIST SP 800-171
• Determine where CUI was processed, stored, or transmitted
• Correct misunderstandings around control applicability

This step addressed the root cause of many issues in the rejected submission.

2. Control Mapping and Narrative Development

Rather than discarding prior work, Aspis:

• Reviewed the client’s existing control statements
• Mapped them to the 110 NIST SP 800-171 controls
• Rewrote narratives to align with the NIST assessment methodology

The focus was on applicability, accuracy, clarity, and defensibility.

3. Development of Core Compliance Artifacts

Aspis delivered the following key artifacts:

• A complete System Security Plan (SSP) using the NIST SP 800-171 CUI SSP template
• A tailored set of information security policies suitable for incorporation into the client’s security program
• Identification of gaps and remediation considerations (informal Plans of Action and Milestones/POA&Ms)
• Clear consistent control implementation statements

4. Structured Project Management and Communication

The engagement included:

• A formal kick-off meeting
• Multiple status and working sessions
• Weekly written status reports
• A close-out meeting reviewing deliverables, findings, and next steps

This ensured transparency, alignment, and leadership confidence throughout the process.

Results and Outcomes

The engagement was completed in three weeks, enabling the client to review deliverables and resubmit prior to the end of the extension period.

Following resubmission:

• The self-attestation was accepted by OPTN
• No corrections or follow-up actions were requested
• OPTN stated:
  • “No specific gaps were identified during the analysis based on available information and UNOS’ Member Security Team’s experience with these gaps.”
  • “No exceptions were noted.”

From the client:

“We got our response back from the OPTN and it’s GOOD!!”

The organization moved from rejection and uncertainty to a successful, defensible compliance outcome.

Key Lessons Learned

This case study highlights several important considerations for organizations facing NIST SP 800-171 requirements:

• Compliance failures often stem from scoping and documentation issues, not technical incapability
• Self-attestation still requires structured evidence and clear narratives
• NIST SP 800-171 can be applied effectively outside traditional defense environments
• Small organizations can achieve compliance without enterprise-scale resources

Conclusion

NIST SP 800-171 compliance is increasingly relevant across sectors, including healthcare-adjacent organizations supporting federally governed programs. With proper scoping, structured documentation, and practical interpretation, self-attestation can be both achievable and defensible.

Aspis Consulting specializes in helping organizations translate complex federal cybersecurity requirements into clear, actionable compliance outcomes—supporting mission continuity while reducing risk.

About Aspis Consulting

Aspis Consulting provides advisory and compliance support to small and mid-sized organizations navigating federal cybersecurity requirements. Services include NIST SP 800-171 self-assessments, System Security Plan development, policy design, and compliance readiness support.  Further, as a Kaseya partner we can help implement key cybersecurity technologies such as end-point device management and security, 24/7 SOC, anti-virus, penetration testing, business continuity planning and recovery solutions, and much more.