September 27, 2020

Volume X, Number 271

September 25, 2020

Subscribe to Latest Legal News and Analysis

September 24, 2020

Subscribe to Latest Legal News and Analysis

NIST’s Highly-Anticipated Security Requirements Draft Impacts Government Contractors’ Treatment of CUI

Government contractors have until December 31 to implement security requirements from NIST Special Publication (SP) 800-171 (here) as mandated by the Defense Federal Acquisition Regulation Supplement (DFARS). The requirements include provisions for protecting Controlled Unclassified Information (CUI) (government sensitive but unclassified information; see the CUI Registry here) in nonfederal systems and compliance is expected soon to be required under civilian agency contracts through a forthcoming FAR case. How to implement these requirements has caused some confusion. In response, on November 28, 2017, NIST released its highly-anticipated draft publication providing assessment procedures.

As we reported on in more detail in our GovCon blog, NIST states that its draft publication – NIST SP 800-171A on “Assessing Security Requirements for Controlled Unclassified Information” – will “help organizations develop assessment plans and conduct efficient, effective, and cost-effective assessments of the security requirements in Special Publication 800-171.” The draft special publication includes assessment procedures relating to each of the security requirements in the fourteen families included in NIST SP 800-171. These include requirements for limiting access to controlled information, tracking and reporting cyber incidents, and employee training. The draft publication also describes methods by which companies can “generate evidence to support the assertion that the security requirements have been satisfied.” Thus, it appears an organization that conducts the suggested assessments in the draft publication and generates supporting documentation can present this to its agency customer as proof of compliance with NIST SP 800-171.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume VII, Number 353

TRENDING LEGAL ANALYSIS


About this Author

Townsend Bourne, Government Affairs Attorney, Sheppard Mullin Law FIrm
Associate

Ms. Bourne's practice focuses on Government Contracts law and litigation. Her experience includes complex litigation in connection with the False Claims Act, bid protest actions both challenging and defending agency decisions on contract awards before the Government Accountability Office and Court of Federal Claims, claims litigation before the Armed Services Board of Contract Appeals and the Civilian Board of Contract Appeals, investigating and preparing contractor claims, and conducting internal investigations. 

Ms. Bourne advises clients on a...

202-469-4917