NIST Seeks to Assist Contractors in Assessing SP 800-171 Compliance
Late last month, the National Institute of Standards and Technology (“NIST”) released a set of documents for public comment that are aimed at helping contractors assess and implement compliance with NIST Special Publication (“SP”) 800-171, which establishes the standards for protecting Covered Defense Information (“CDI”), among other forms of Controlled Unclassified Information (“CUI”). First, NIST released an updated final public draft of SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information. Second, NIST released templates for contractor system security plans (“SSPs”) and plans of action and milestones (“POAMs”). While neither finalized nor mandatory, these documents provide useful guidance for contractors struggling with SP 800-171 compliance.
Updates to SP 800-171A
Much of the substance of SP 800-171A remains unchanged from the previous version that NIST released in November, and which this blog previously discussed. The final public draft is still intended as “a starting point for developing assessment plans and approaches that can produce the level of evidence needed for risk-based decisions or to determine compliance to the CUI security requirements.” Similarly, this most recent draft still groups its assessment procedures by fourteen families of security control requirements, and highlights how an assessor could examine, interview, or test each particular control at issue.
NIST did, however, add two new appendices to the publication, a Glossary and a list of relevant Acronyms. The Glossary in particular could be useful if new FAR based cyber incident reporting are promulgated. The revised version also take steps to make clear that this publication is intended as guidance and should not be interpreted as creating new CUI security requirements. To that end, the original Supplemental Guidance appendix has been replaced with a Discussions appendix that clarifies the intent of the appendix is to facilitate implementation of the security requirements already established by SP 800-171. NIST notes that it plans to move this section to NIST SP 800-171 after the final comment period but it appears that it will remain as guidance rather than new requirements.
Template System Security Plan and Plan of Action & Milestones
Perhaps as important as the guidance found in SP 800-171A are the two template documents—a sample SSP and POAM—that NIST issued to accompany the publication. Under the basic security requirements of SP 800-171, these documents are a required part of a contractor’s system security assessment. And while there is no required form that these documents must take, there is certain information that is essential to a meaningful assessment.
The sample SSP, in particular, walks contractors through all of the information that should be included in a basic SSP. Such details include key points of contact for a system’s operation, descriptions of the system environment, a checklist of system security requirements, and a record of changes log that allows the contractor to track changes to the SSP over time.
Again, contractors are not required to use either the template SSP or POAM. However, for those contractors that have had or are having difficulty preparing these documents, the templates provide an essential building block for creating a meaningful SSP and POAM, and ensuring compliance with SP 800-171. Moreover, even if not required, if DCMA does begin its expected audits for compliance with DFARS 252.204-7012, this could provide the audit agency with a ready checklist. Similarly, if a solicitation asks for an SSP as part of the evaluation criteria, this template could potentially provide support for the sufficiency of a contractor’s SSP. Thus, it is useful for contractors to review the form and compare against their current plans to at least understand any significant differences.