October 16, 2018

October 16, 2018

Subscribe to Latest Legal News and Analysis

October 15, 2018

Subscribe to Latest Legal News and Analysis

NIST Releases New Draft Publication Designed to Assist Contractors In Assessing Compliance with NIST SP 800-171

Ahead of the upcoming December 31, 2017 deadline for federal defense contractors to implement National Institute of Standards and Technology (“NIST”) Special Publication 800-171 (“SP 800-171”), NIST has released a new draft publication designed to assist organizations in assessing compliance under SP 800-171, Draft Special Publication 800-171A, Assessing Security Requirements for Controlled Unclassified Information (“CUI”) (“SP 800-171A”).

Currently, there is no regulation or statute that imposes SP 800-171A on contractors. Rather, SP 800-171A is intended as guidance for organizations in developing assessment plans and conducting “efficient, effective, and cost-effective” assessments of the implementation of security controls required by SP 800-171. Similar to SP 800-171, SP 800-171A does not prescribe specific, required assessment procedures. Instead, SP 800-171A provides a series of “flexible and tailorable” procedures that organizations could use for conducting assessments with each security control in SP 800-171. SP 800-171A specifically recognizes three distinct methods for conducting assessments: examining and interviewing to facilitate understanding, achieve clarification, or obtain evidence and testing to compare actual results with expectations.

Requirements of SP 800-171A:

Following the format of SP 800-171, SP 800-171A groups its assessment procedures by the fourteen families of CUI security control requirements, and highlights how an assessor could examine, interview, or test each particular control at issue. Although SP 800-171A suggests a majority of the controls could be evaluated using all three methods, it does recognize that some of the controls can only be effectively assessed using a subset of the three methods. SP 800-171A also recognizes that organizations may not need to test every control – controls that are not applicable to a particular organization should not be tested in the assessment, but should instead be documented as non-applicable in the organization’s System Security Plan (“SSP”).

Consistent with its recent update to NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations (“SP 800-53”), in creating this publication, NIST used the term “system” rather than “information system” to reflect that CUI needs to be safeguarded on a broader array of contractor information systems such as industrial and process control systems, cyber-physical systems, and individual devices that are part of the Internet of Things.

Impact on Contractors:

Although there is currently no requirement that defense contractors follow the procedures in SP 800-171A, the draft publication was designed as “a starting point” for organizations to use in developing assessment plans and determining compliance with NIST SP 800-171. In particular, SP 800-171A notes that “[o]rganizations can use the assessment procedures to generate evidence to support the assertion that the security requirements have been satisfied.” Such evidence could be used in a variety of ways, such as the basis for identifying security related weaknesses in a system, as an aid in source selection, or by the Defense Contract Management Agency (“DCMA”) when auditing contractor compliance with Defense Federal Acquisition Regulation Supplement (“DFARS”) clause 252.204-7012.

Attached to SP 800-171 is an appendix that provides supplemental guidance for implementing and assessing the CUI security requirements in SP 800-171. As currently drafted, many of the SP 800-171 security controls are only a sentence or two long. The supplemental guidance is based on the more fulsome “security controls in NIST Special Publication 800-53 and is provided to give assessors a better understanding of the mechanisms and procedures used to implement the safeguards employed to protect CUI.” NIST states that this supplemental guidance will be included in the next update to SP 800-171.

As noted in a previous blog post, NIST is in the process of revising SP 800-53, which only applies to federal systems. One of the stated objectives of the revised version, however, is to make SP 800-53’s cybersecurity and privacy standards and guidelines accessible to non-federal and private sector organizations for voluntary use on their systems.  As a result, because NIST is incorporating this guidance more explicitly, defense contractors may ultimately see a blurring of some of the requirements of SP 800-171 versus SP 800-53.

© 2018 Covington & Burling LLP

TRENDING LEGAL ANALYSIS


About this Author

Susan B. Cassidy, Government Contracts Attorney, Covington Burling, Law Firm
Partner

Susan Cassidy advises clients on the complex rules and regulations imposed on government contractors, with a special emphasis on the defense and intelligence sectors. She combines a sophisticated knowledge of the FAR and DFARS with the practical insight gained from senior in-house positions at both dedicated defense and commercial item contractors.

Ms. Cassidy conducts internal investigations for clients on wide array of government contracts and national security compliance issues. She regularly advises on FAR mandatory disclosure obligations and represents...

202-662-5348
Ashden Fein, Litigation attorney, Covington Burling
Associate

Ashden Fein advises clients on cybersecurity and national security matters, including government and internal investigations, regulatory, and complex litigation matters.

For cybersecurity matters, Mr. Fein specifically counsels clients on preparing for and responding to cyber-based attacks, assessing their security controls and practices for the protection of data and systems, developing and implementing cybersecurity programs, and complying with federal and state regulatory requirements. Mr. Fein also has been the lead investigator and crisis manager for multiple complex cyber and data security incidents, including data security breach matters involving millions of affected consumers, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, and destructive attacks.

202.662.5116