Government security breaches seem to hit the news every other month—keep an eye on your investments—including potential breaches caused by contractors. What may be a surprise is the idea that the government is not sure how many contractors they even have, as the Congressional Budget Office acknowledged in 2015. With an unknown number of contractors handling government information, there is a major concern about what security measures contractor organizations have implemented to protect the sensitive government information that they handle, possess, use, share, or receive. To help address this concern, the National Institute of Standards of Technology (NIST) published Special Publication (SP), 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, in June 2015, and Revision 1 was published in December 2016. NIST SP 800-171 defines security requirements for protecting Controlled Unclassified Information (CUI) created or possessed by non-federal entities.
Controlled Unclassified Information (CUI)
Signed into effect on November 4, 2010, Executive Order 13556 established the CUI program citing ad hoc policies, procedures, and markings for safeguarding the federal executive department and agency information. The order appointed the Nation Archives and Records Administration (NARA) as the Executive Agent to implement and ensure compliance with the order. NARA defines CUI as follows:
2002.4 (h): Controlled Unclassified Information (CUI) is information the Government creates or possesses, or than an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
Simply put, CUI is any non-public executive agency information. For further details on specific CUI, check out the registry on NARA’s website for categories of data classified as CUI.
After that executive order, NARA issued its final rule (81 FR 63323) on CUI on November 14, 2016--the final rule codified 32 CFR 2002 in the Federal Register—and made NIST SP 800-171 the standard for protecting CUI in non-federal systems. This final rule states that a forthcoming Federal Acquisition Regulation (FAR) clause will be developed for incorporation into contracts with organizations that handle, posses, use, share, or receive CUI—this clause will require organizations to be compliant with NIST SP 800-171. However, until the FAR clause is finalized, it remains unclear whether contractors will be given an implementation period; nevertheless, the final rule indicates that agencies should be including contract provisions for compliance now.
Federal contractors and subcontractors conducting government work on their own information systems (and networks, devices, etc.) likely possess CUI and must understand the impact of NIST SP 800-171 on their organization in order to be compliant with federal contracting regulations. For organizations contracting with the Department of Defense (DoD), a clause that set a deadline for contractors to meet the security requirements outlined in NIST SP 800-171 has already been added to the DoD’s Defense Federal Acquisition Regulation Supplement (DFARS):
DFARS 252.204-7012 (b)(2)(ii)(A): The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017…
In addition to the deadline for compliance, contractors are also required to notify the DoD Chief Information Officer of any deviations from the NIST SP 800-171 security requirements within thirty days of contract award going forward. With that being said, a look at the calendar suggests that time is almost up for DoD contractors with deviations.
Nonetheless, in order to achieve compliance—deviations or not—NIST SP 800-171 revision 1 security requirements include 110 basic and derived requirements across fourteen control families:
- Access Controls
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Physical Protection
- Personnel Security
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
The security requirements in these fourteen families are based on the NIST’s Federal Information Processing Standard (FIPS) 200 and the NIST SP 800-53 revision 4 moderate baseline security controls that are focused specifically on protecting the confidentiality of CUI. The 110 basic and derived requirements map back loosely to 125 NIST SP 800-53 revision 4 controls and control enhancements. NIST SP 800-53 controls are much more prescriptive than the NIST SP 800-171 security requirements, but give organizations a better understanding of controls that meet the requirements.
Relationship to FedRAMP and Cloud Service Providers
So how does this all tie in? As noted above, the NIST SP 800-171 requirements are a subset of the overall NIST SP 800-53 controls that are required for FedRAMP. If you are a Cloud Service Provider (CSP) providing services to government agencies, FedRAMP is a requirement, and a CSP would arguably meet a superset of the requirements under NIST SP 800-171. In addition, CSP customers that are DoD contractors may require that the CSP meet the FedRAMP moderate baseline if they plan to store or process DoD information in the cloud service (DFARS 252.204-7012 (b)(2)(ii)(D)). The scenario under which a provider would only need to adhere to the 110 basic and derived NIST SP 800-171 controls would be if it is providing a non-cloud solution OR if a CSP is providing services to non-DoD government contractors (as there is currently no FAR clause related to FedRAMP compliance for contractors), but not government entities.
Is Your Organization Compliant?
In order to confirm compliance, the best place to start is to perform a gap assessment of the current information security program being utilized and discern how it aligns with the NIST SP 800-171 security requirements. In December 2016, on Twitter, NIST hinted at a 2017 release of NIST SP 800-171A, which can be presumed to be a companion guide for assessing against NIST SP 800-171 similar to NIST SP 800-53A; however, there is little information on where that stands with less than a month left in the year. Though there is no precedent or requirement for a NIST SP 800-171 certification, the government is putting the responsibility on contractors to determine if their information systems meet the security requirements. An organization is agreeing to meet the requirements by signing that contract, so it’s important to confirm where the level of compliance stands.