On June 19, 2019, the National Institute of Standards and Technology (“NIST”) issued its draft SP 800-171B guidelines (the “draft”), which outlines enhanced measures to protect controlled unclassified information (“CUI”) held by government contractors.
Building on NIST’s existing SP 800-171 guidelines for protecting CUI on non-federal systems, the draft’s enhanced measures are intended to apply only to components that process, store, transmit or provide security for CUI “contained in a critical program or high-value asset.” The strengthened security requirements are intended to protect the integrity of CUI by promoting: (1) penetration resistant architecture; (2) damage limiting operations; and (3) designing for cyber resiliency and survivability.
The draft outlines 31 recommendations, including dual-authorization, access restriction and network monitoring activities. When finalized, the draft’s guidelines are expected to be applied on a case-by-case basis to the small fraction of Department of Defense (“DoD”) contractors with high-value cyber assets or who hold critical defense program information.
The DoD already requires its contractors to comply with the existing NIST 800-171 through its DFARS 252.204.7012. Other agencies, such as the Government Services Administration and Department of Homeland Security, have announced or proposed requiring contractor implementation of NIST SP 800–171, but did not finalize those plans.
Because compliance with NIST SP 800–171 can be difficult for some contractors, and because the DoD has not, in fact, clearly articulated the breadth of information covered by DFARS 252.204.7012, the DoD had until recently been more flexible in verifying compliance with NIST SP 800-171. On January 21, 2019, however, the Under Secretary of Defense for Acquisition and Sustainment issued a memo directing more careful review of contractor compliance with NIST SP 800–171.
Technical comments on draft SP 800-171B are due by July 19, 2019.