NIST’s Highly-Anticipated Security Requirements Draft Impacts Government Contractors’ Treatment of CUI
Government contractors have until December 31 to implement security requirements from NIST Special Publication (SP) 800-171 (here) as mandated by the Defense Federal Acquisition Regulation Supplement (DFARS). The requirements include provisions for protecting Controlled Unclassified Information (CUI) (government sensitive but unclassified information; see the CUI Registry here) in nonfederal systems and compliance is expected soon to be required under civilian agency contracts through a forthcoming FAR case. How to implement these requirements has caused some confusion. In response, on November 28, 2017, NIST released its highly-anticipated draft publication providing assessment procedures.
As we reported on in more detail in our GovCon blog, NIST states that its draft publication – NIST SP 800-171A on “Assessing Security Requirements for Controlled Unclassified Information” – will “help organizations develop assessment plans and conduct efficient, effective, and cost-effective assessments of the security requirements in Special Publication 800-171.” The draft special publication includes assessment procedures relating to each of the security requirements in the fourteen families included in NIST SP 800-171. These include requirements for limiting access to controlled information, tracking and reporting cyber incidents, and employee training. The draft publication also describes methods by which companies can “generate evidence to support the assertion that the security requirements have been satisfied.” Thus, it appears an organization that conducts the suggested assessments in the draft publication and generates supporting documentation can present this to its agency customer as proof of compliance with NIST SP 800-171.