Background
As of December 31, 2017, all Department of Defense (DoD) contractors that process, store or transmit Controlled Unclassified Information (CUI) must meet the Defense Federal Acquisition Regulations Supplement (DFARS) minimum security standards. DFARS 253.207-7012 requires organizations with CUI to implement the security requirements in NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” If government contractors fail to comply with the NIST security requirements, they risk losing their defense contracts.
Overview of NIST Special Publication (SP) 800-171
NIST SP 800-171 provides a standardized set of requirements for all CUI security needs. There are a total of 110 security requirements organized by 14 families of controls. The requirements apply to all components of nonfederal systems and organizations that process, store or transmit CUI, or that provide security over these components. These requirements are tailored for non-federal systems and allow government contractors to implement consistent safeguards in their environments to protect CUI.
CUI can be any information that supports federal missions and business functions that affect the economic and national security interests of the United States. Non-federal organizations (colleges, state/local governments, federal contractors, etc.) often process, store or transmit CUI. Some common examples of CUI a defense contractor may have are technical information, engineering drawings, project specifications, standards, manuals, technical reports, data sets, and studies and analysis.
SP 800-171 helps organizations to address potential deficiencies in managing and protecting CUI. Protecting systems with CUI is very important to federal agencies, and safeguards should be in place to defend against potential threats to the confidentiality, integrity and availability of CUI. Complying with the SP 800-171 security requirements should help to reduce the risk to CUI from cyber threats.
Most of the SP 800-171 security controls are only a sentence or two long, and the requirements are somewhat vague and leave much up to interpretation. There are a variety of ways organizations could respond to these requirements. Many organizations are looking for clarification and guidance on the SP 800-171 security requirements, and that is where NIST SP 800-171A comes in.
What Is NIST SP 800-171A?
The final draft of NIST SP 800-171A, “Assessing Security Requirements for Controlled Unclassified Information,” was released late February. NIST developed this publication as a companion guide for SP 800-171 to help assessments of the CUI security requirements. SP 800-171A provides a tool for government contractors, subcontractors, third parties and reviewers to improve their understanding of security objectives from SP 800-171. It provides a consistent process for assessment and additional explanation of the requirements.
SP 800-171A provides much more detail for the 110 security requirements listed in SP 800-171. The publication provides customizable procedures that organizations can use to conduct assessments of the security controls. For each CUI security requirement, NIST has provided “Assessment Objectives,” “Potential Assessment Methods and Objects,” and reference to further discussion on the requirement.
The “Assessment Objectives” break down the security controls into separate elements. These elements should be addressed in order to satisfy the requirements. The “Potential Assessment Methods and Objects” section provides recommendations for how the organization/assessor could examine, or test each particular control and also provides suggestions related to who to speak with or interview within a typical organization. The “Discussion” material contains further useful explanations and interpretations of the CUI security requirements. It is intended to facilitate implementing and assessing the controls.
SP 800-171A is a very useful tool for companies looking to achieve or validate NIST 800-171 compliance. The procedures outlined in this draft publication can be used by organizations as a starting point to develop assessment plans and approaches that can produce evidence needed to determine compliance for the CUI security requirements. SP 800-171A can help enterprises to organize, inform, measure and document their assessment of present security and to prepare plans of action for security improvement. Federal agencies can also make use of this publication for the evaluation of contractor compliance.
While SP 800-171A does provide clarification for the SP 800-171 CUI security requirements, it also has a lot of information to digest. It is important to note that SP 800-171A is designed be used as guidance and does not create new security requirements for companies to meet. NIST 800-171 compliance may be a daunting and time-consuming project, but there are many benefits to protecting CUI, including continuing to do business with federal agencies.
If you have any questions related to NIST SP 800-171A or your organization’s compliance with NIST 800-171, please do not hesitate to contact us.
For more information regarding NIST, please visit the Schneider Downs website, as well as the ongoing Our Thoughts On articles being published by our Risk Advisory professionals. If you have any questions related to your organization’s compliance with NIST standards, please contact us.