Government contractors who think cyber and information security applies only to classified or Department of Defense (DoD) contracts take note: a new set of standards is on the horizon. The National Institute of Standards and Technology (NIST) will soon be finalizing its new Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, after fielding comments and questions on its latest draft.
NIST has recommended that agencies use SP 800-171, once finalized, to govern how contractors safeguard controlled unclassified information (CUI). The security requirements used in safeguarding CUI will be grouped into families including, among others:
- Access control: which generally limits system access to authorized users;
- Awareness and training: which generally alerts employees to information security risks;
- Incident response: which involves developing operations to prepare for, detect, analyze, contain, recover from, and respond to incidents affecting information; and
- Personnel security: which involves screening individuals before granting them access to information systems with CUI.
What Are Nonfederal Information Systems and Organizations and Why Is NIST Focusing On Them Now?
NIST has issued the draft of SP 800-171 in advance of an anticipated rule on CUI from the National Archives and Records Administration (NARA). Under the rule, NARA is expected to re-designate many different references to unclassified information (e.g., "For Official Use Only," "Sensitive But Unclassified," etc.) into common terms with uniform definitions under the general category of CUI. Since CUI covers such a broad scope of information, even some types of contractor-generated information residing on contractor-owned systems may be characterized as CUI. NIST, recognizing the scope of CUI, has focused 800-171 on nonfederal information systems.
Will SP 800-171 Apply to Federal Contracts After It Is Finalized?
Contractors should note that after SP 800-171 is finalized, it will not automatically apply as an information security requirement. However, NIST has recommended that federal agencies cite to SP 800-171 as an information security standard for handling CUI until a more formal FAR-based rule is promulgated. Contractors should therefore be aware of new agency-specific contract requirements citing to or incorporating SP 800-171.
Including the requirements referenced above, SP 800-171 establishes 14 security requirement families, setting the minimum level of information security a contractor should have in order to adequately safeguard CUI. Those security requirements include:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Security
How Does This Relate to DFARS 252.204-7012, Safeguarding of Unclassified Controlled Technical Information?
Contractors who perform under Department of Defense contracts requiring the safeguarding of unclassified controlled technical information (UCTI) should be careful not to confuse the DFARS clause with any future implementation of SP 800-171. The DFARS clause prescribes many security controls under NIST SP 800-53,Security and Privacy Controls for Federal Information Systems and Organizations, that are similar to the security guidelines under SP 800-171. However, compliance with the DFARS clause will not necessarily address requirements of SP 800-171. For example, SP 800-171 prescribes a Personnel Security requirement, whereas Personnel Security is not included in the set of SP 800-53 security controls prescribed under DFARS 252.204-7012. Similarly, UCTI may not be as broad as the scope of CUI to be covered under 800-171. The DFARS clause focuses on technical information with military or space application that is subject to a number of controls and is marked with specific distribution statements. As addressed above, SP 800-171 contemplates that CUI may be more broadly defined, and actually originate from a contractor-owned system.
As contractors wait for SP 800-171 to be finalized, and for NARA to promulgate its rule on CUI, there are some basic steps to take in order to be prepared:
Closely monitor to ascertain when NARA issues its new rule on CUI, then evaluate whether any information that you have developed or possess falls under one of the categories of CUI;
Closely review the finalized SP 800-171 to determine whether your organization has security controls in place that can comply with the requirements for safeguarding CUI;
Inform company personnel who regularly interface with federal customers to look for any efforts by federal customers to modify contracts to implement NIST 800-171 standards, or alternatively, to impose the standards on the company without formally modifying the relevant contract; and