Federal government contractors, grantees and those with cooperative agreements may find themselves in possession of (or handling) government information which the U.S. Department of Defense (DoD) considers to be sensitive or confidential but not considered “classified.” On Dec. 31, 2017, in accordance with DFARS 252.204-7012 the National Institute of Standards and Technology (NIST) Special Publication 800-171 “Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations” or the “Cyber Clause” went into effect. The purpose of the clause is to provide a uniform standard for the handling of CUI and to provide a roadmap for safeguarding CUI and covered defense information (CDI) that is a subset of CUI. Specifically, the new regulation focuses on addressing “deficiencies in managing and protecting unclassified information” including “inconsistent markings” and “inadequate safeguarding” by “standardizing procedures” for the handling of CDI/CUI and “providing common definitions through a CUI Registry.”
CDI is defined as unclassified information, as described in the CUI Registry that requires safeguarding or dissemination controls and requires, at minimum, the implementation of NIST SP 800-171 controls.
Specifically, the definition of CDI reads:
Covered defense information means unclassified controlled technical information or other information (as described in the Controlled Unclassified Information (CUI) Registry) that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is—
-
Marked or otherwise identified in the contract, task order or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
-
Collected, developed, received, transmitted, used or stored by or on behalf of the contractor in support of the performance of the contract.
DFARS 252.204-7009
Having a robust compliance program in place and updating it as required is the key to meeting NIST 800-171’s requirements.
Contractors are required to certify compliance with the cyber clause. The DFARS requirements concern reporting cyber incidents and addressing consequences of the loss of the information are assessed and minimized via the cyber incident reporting and damage assessment process. The regulation identifies 14 procedures contractors must implement to safeguard CUI.
- Access Control;
- Awareness and Training;
- Audit and Accountability;
- Configuration Management;
- Identification and Authentication;
- Incident Response;
- Maintenance;
- Media Protection;
- Personnel Security;
- Physical Protection;
- Risk Assessment;
- Security Assessment;
- System and Communications Protection; and
- System and Information Integrity. (DFARS 252.204.7012, under FAR 52.204-21 cybersecurity requirements that overlap with six of the DRARS requirements also govern non-DoD contractors)***
Small business or subcontractors that store processes or transmits federal contract information, but have limited IT or cybersecurity expertise may feel intimidated by the new requirements of NIST SP 800-17; but the intent of the DoD regulation was not to require contractors to develop new systems to store and transmit CUI, rather it was to enable contractors to use systems they already have in place. Most requirements in NIST SP 800-17 are about policy, process, and configuring IT securely, while others require security-related software (such as anti-virus) or additional hardware. With the exception of the multifactor authentication requirement, no additional software or hardware is typically required by the new rule. For example, derived security requirements from the “access control” category include monitoring and controlling remote access sessions, routing remote access via managed access control points, and using session lock with pattern-hiding displays to prevent access/viewing of data after periods of inactivity.
If your company is new to the requirements, a reasonable approach to becoming NIST SP 800-17 compliant may include:
- Examining each of NIST SP 800-171’s the requirements to determine:
- Policy or process requirements to be implemented through in IT (e.g., through configuring IT in a certain way or through use of specific software)
- IT configuration requirements
- Any additional software or hardware required
- If unsure of what a requirement means, companies should refer to the mapping table in Appendix D to NIST SP 800-171, identify the NIST SP 800-53 control, and consult the Supplemental Guidance related to that control
- Most requirements entail determining what the company policy should be (e.g., what should the interval between password changes be) and configuring IT systems to implement the policy.
- When the term “control” or “manage” is used, it does not necessarily require a technical implementation – often a process or policy (with an ability to periodically check to ensure the policy/process is being followed) will suffice.
- Based on the above, determine which requirements can be accomplished by in-house IT personnel and which require additional research to bring the company into compliance by company personnel or outside technical experts.
Note that the NIST SP 800-171 does not implement any new oversight paradigm. It is up to the contractor to determine that its system meets the requirements. Contractors will need a robust compliance program in place and continually update their compliance in order not to run afoul of this new certification required for the award of new contracts and any additional work under existing contracts with DoD.
*** NIST 800-171 had a later revision (Rev. 1), which the DoD implemented, that permits companies to create a SSP (system security plan) and POAM (plan of actions and milestones) that describes the process in which a company will implement the 14 controls outlined in NIST 800-171. Provided that companies create a SSP and POAM by Dec. 31, they will remain compliant with the DFARS provision under the DoD guidance linked above.