The need for strong security measures to protect sensitive government data from hackers has never been more intense. In November alone, the federal government suffered at least four breaches of government information systems, including cyber-attacks on the U.S. Postal Service, the State Department, NOAA, and the White House. What is not discussed in the news reports is the fact that the much of the burden of securing government data falls on government contractors.
The federal government has struggled to adopt a unified and mandatory approach to contractor data security. Each agency has taken a separate approach to adopting cybersecurity requirements, for example DoD recently adopted a new set of regulations governing unclassified “controlled technical information.” Many contractors find the current requirements confusing and at times conflicting between agencies.
In an effort to address this problem, the Department of Commerce National Institute of Standards and Technology has released a draft version of NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations [pdf].
The new NIST guidance is directed at contractors that already have information technology infrastructure and associated security policies and practices in place. The final version of Special Publication 800-171 will attempt to synthesize the federal government’s recommendations to ensure the confidentiality of sensitive federal information stored on contractor computers and information systems. Special Publication 800-171 is part of a three-part plan that will ultimately make these recommendations mandatory. The other parts include a rule proposed by the National Archives and Records Administration—currently under review by OMB—and the eventual adoption of a FAR clause that will apply the requirements of the NARA rule and Special Publication 800-171 to all federal contracts.
Special Publication 800-171 sets forth fourteen specific security objectives. In brief, these recommendations are:
- ACCESS CONTROL: Limit information system access to authorized users.
- AWARENESS AND TRAINING: Ensure that managers and users of organizational information systems are made aware of the security risks and ensure that personnel are adequately trained.
- AUDIT AND ACCOUNTABILITY: Create information system audit records to enable the reporting of unlawful, unauthorized, or inappropriate information system activity; and ensure that the actions of individual users can be traced to be held accountable for their actions.
- CONFIGURATION MANAGEMENT: Establish baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation); and establish security configuration settings for technology products.
- IDENTIFICATION AND AUTHENTICATION: Identify information system users and authenticate (or verify) the identities of those users as a prerequisite to allowing access.
- INCIDENT RESPONSE: Establish an operational incident-handling capability for organizational information systems; and track, document, and report incidents to appropriate authorities.
- MAINTENANCE: Perform periodic maintenance on organizational information systems; and provide effective controls on the tools and personnel used to conduct maintenance.
- MEDIA PROTECTION: Protect information system media containing CUI, both paper and digital; and limit access to CUI on information system media to authorized users.
- PHYSICAL PROTECTION: Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
- PERSONNEL SECURITY: Screen individuals prior to authorizing access to information systems containing CUI.
- RISK ASSESSMENT: Periodically assess the risk to organizational operations, assets, and individuals.
- SECURITY ASSESSMENT: Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application; develop and implement plans of action designed to correct deficiencies.
- SYSTEM AND COMMUNICATIONS PROTECTION: Monitor, control, and protect organizational communications (i.e., information transmitted or received by information systems).
- SYSTEM AND INFORMATION INTEGRITY: Identify, report, and correct information and information system flaws in a timely manner; and provide protection from malicious code.
Each recommendation contains a more detailed checklist of requirements that contractors will be able to use to meet the security objective. In many cases, the requirements and objectives will overlap with security processes that contractors already have in place.
NIST recognizes that the objectives can be satisfied through a variety of different solutions. Further, the draft version of Special Publication 800-171 encourages federal agencies to work with small businesses to consider alternative security requirements that may be more feasible for smaller contractors.
Although Special Publication 800-171 is not yet mandatory, federal contractors may see the recommendations appear in government contracts. The publication authorizes agencies to incorporate the recommendations “where necessitated by exigent circumstances.”