On June 18, 2015, the federal government’s National Institute of Standards and Technology (NIST) issued new data security guidance that will significantly affect those doing business with the government. In a publication titled “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” NIST provides the basis for future regulations on what practices “nonfederal” entities (such as government contractors) must adopt to adequately protect unclassified controlled technical information (UCTI) in connection with performing their government contracts.
NIST 800-171 focuses on minimum standards and best practices within fourteen “Security Requirement Families” necessary to protect UCTI:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
The publication provides detailed lists of basic and derived security requirements contractors need to employ to meet each of the fourteen standards. The publication extensively references a number of pre-existing policies for data security, particularly NIST Special Publication 800-53 and Federal Information Processing Standards (FIPS) Publication 200, and complements existing UCTI regulations promulgated by the General Services Administration and the Department of Defense. These policies and regulations – plus others not referenced – provide the guidance on minimum requirements and best practices for protecting data that the government entrusts to contractors. This piecemeal approach poses some risk for contractors who do not keep track of all of the applicable regulations and publications and reconcile them with one another to create a satisfactory cybercompliance plan.
While the government works to create more uniformity and clarity in this area – including a uniform FAR clause scheduled for release in 2016 – contractors need to stay in tune with the existing network of rules and standards to ensure that they continue to adequately protect UCTI and comply with their legal obligations to the government.
Contractors can get a start on compliance by:
- Identifying whether they possess UCTI
- Analyzing their current practices, systems and solutions for protecting that data and monitoring data security
- Developing an effective incident response plan and implementing processes for responding to and mitigating the negative effects of security and data loss incidents
Contractors should also be aware of the various cybersecurity clauses in their contracts and ensure compliance with those requirements, including all agency notice requirements. Members of Thompson Hine’s Government Contracts group can help contractors with these assessments.