WHAT IS NIST 800-171?
The purpose of the 800-171 publication is to provide federal agencies with recommended requirements for protecting the confidentiality of Controlled Unclassified Information (CUI):
- When the CUI is resident in nonfederal information systems and organizations
- When the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies
- Where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry
WHO MUST COMPLY WITH NIST 800-171?
Pretty much any non-federal organization that works with or provides services to the federal government must comply! The requirements apply only to components of NON-FEDERAL information systems that process, store, or transmit CUI, or that provide security protection for such components. The CUI requirements are intended for use by federal agencies in appropriate contractual vehicles or other agreements established between those agencies and non-federal organizations. The NIST 800-171 publication outlines “basic” security standards and controls designed to provide guidance for the protection and safeguarding of CUI by federal contractors and subcontractors who process, store, or transmit information as part of their “routine” business operations.
WHAT ARE THE DEADLINES FOR COMPLIANCE?
The deadline to meet NIST 800-171 compliance was December 31, 2017, and it is estimated that only 1% met that deadline. We expect the deadline to be reissued for 2018 that puts more teeth into the requirements of complying.
WHAT IS DEFENSE FEDERAL ACQUISITION REGULATION SUPPLEMENT (DFARS)?
DFARS is a supplement to the Federal Acquisition Regulations (FAR) that provides Department of Defense specific acquisition regulations that Department of Defense (DoD) government acquisition officials, and those contractors doing business with DoD, must follow in the procurement process for goods and services.
NIST SP 800-171 was designed specifically for NON-FEDERAL information systems — those in use to support private enterprises. Revisions to the DFARS clause in August 2015 made this publication mandatory for defense contractors who have the DFARS 252.204-7012 clause in any contract.
WHAT DOES COMPLIANCE MEAN AND HOW IS IT MEASURED?
When you sign a federally awarded contract, you are attesting to the fact that your IT systems are compliant. The DoD will not and does not provide compliance certification. It is up to each contractor and applicable sub-contractors to self-certify prior to signing a contract. A System Security Plans (SSP), along with a Plan of Action and Milestones (POA&M) indicating how you plan to address and resolve any current gaps in compliance, can be used as evidence of compliance efforts. It is likely that a government-contracting officer (GCO) will request that you submit both an SSP and a POA&M. If you have prepared an SSP and POA&M, but have not implemented all of the NIST SP 800-171 requirements, it is up to the government as to whether or not they will accept the risk detailed in your SSP and POA&M.
WHAT IS COVERED DEFENSE INFORMATION (CDI) AND HOW IS IT DEFINED IN THE CONTRACTS?
Covered defense information means unclassified controlled technical information as described in the Controlled Unclassified Information (CUI) Registry. Expect contract Section J to include a list of CDI data that will be provided by the government.
WHAT IS CUI & HOW TO KNOW IF YOUR BUSINESS HANDLES IT?
Controlled Unclassified Information (CUI) consists of anything which should not be made public, but which also is not sensitive enough to require high-level security clearance. Examples include:
- Personal Information – Things like legal documents, health information, Social Security numbers, credit card information and various other personal information that is not generally available to the public.
- IT Security - Anything, which might compromise the integrity of information systems or the way in which data, is processed, stored and transmitted.
- Financial Information – Anything from corporate financials, taxes, purchase orders, bank transactions to payroll. If it contains financial data, it must comply.
- Intellectual Property – This covers things like research, engineering and architectural data, Drawings/schematics/build specifications, project plans, technical reports, patents, etc.…
- Corporate Information – Partnership agreements, procurement and acquisition agreements, proprietary business information and safety information.
The rule of thumb is that if a system or network device processes, stores or transmits CUI it must comply with 800-171. This includes routers, switches and desktops.
HOW DO I PROVE COMPLIANCE?
At this point in time, self-attestation is considered sufficient. It is NNT’s view that a well-documented System Security Plans that maps to the fourteen NIST 800-171 control families will be sufficient should questions arise around compliance.
WHAT WILL DEFENSE CONTRACT MANAGEMENT AGENCY (DCMA) LOOK FOR WHEN CONSIDERING COMPLIANCE?
- Verify that you have an SSP in place.
- Verify that you turned in your 30-day notification disclosing which security controls have not yet been implemented.
DO I NEED A 3RD PARTY TO AUDIT MY COMPANY FOR COMPLIANCE?
No, not at this point. However, there are companies that can be contracted to provide an external assessment. NNT is strategically aligned with a few of these companies and we are happy to make formal introductions.
WILL COMPLIANCE BE AN EVALUATION FACTOR IN PURSUING GOVERNMENT CONTRACTS?
The government can use the NIST SP 800-171 SSP as a vehicle to technically evaluate compliance requirements and deny awarding a contract.
DO 2nd AND 3rd TIER SUPPLIERS NEED TO COMPLY?
Depends. DFARS clause 252.204–7012 stipulates only subcontractors whose efforts and activities will involve CDI.
HOW WILL PRIME CONTRACTORS ENSURE COMPLIANCE FROM THEIR SUPPLIERS?
Prime contractors need to control what data flows to subcontractors based on the CDI data the subcontractors need access to in order to do their jobs. If a subcontractor has not and cannot implement the required CDI protections, then CDI should not be shared with the subcontractor.
HOW ARE NIST 800-171 AND FIPS RELATED?
The CUI requirements recommended in 800-171 are derived from Federal Information Processing Standards (FIPS) Publication 200 and the moderate security control baseline in NIST 800-53 and based on the proposed CUI regulation (32 CFR Part 2002, Controlled Unclassified Information). FIPS are publicly announced standards developed by the US federal government to use in computer systems by nonmilitary government agencies and government contractors.
FIPS 200 is the second standard that was specified by the Information Technology Management Reform Act of 1996 (FISMA). It is an integral part of the risk management framework that NIST has developed to assist federal agencies in providing levels of information security based on levels of risk. FIPS 200 specifies minimum-security requirements for federal information and information systems and a risk-based process for selecting the security controls necessary to satisfy the minimum requirements.
WHAT ARE THE CONTROL REQUIREMENTS, WHERE DO YOU START AND WHICH NNT PRODUCTS HELP ACHIEVE COMPLIANCE?
While 171 is very descriptive in what needs to be accomplished to meet security compliance around CUI, it does not advise or prioritize on where to start. The Center for Internet Security is a collaborative organization that understands companies use multiple frameworks including 800-171 to help guide their cybersecurity strategy. The CIS Controls were developed to work as a companion to additional frameworks like 800-171 to help prioritize efforts and action to become compliant. These Controls are not just another list of good things to do, but a prioritized, highly focused set of actions that make them implementable, usable, scalable, and compliant with all industry or government security requirements.
Controls CSC 1 through CSC 5 are essential to a successful security foundation and should be considered among the very first things to be done. These are often referred to as “Foundational Cyber Hygiene” – the basic things that you must do to create a strong foundation for your defense. These five controls map directly to NNT’s Change Tracker™ Gen 7 R2 set of deliverables.
WHEN IS NNT’S CHANGE TRACKER™ GEN 7 R2 REQUIRED?
NNT’s Change Tracker™ product maps directly to 9 of the 14 security control families. To better understand what those controls are and where an organization might effectively start…you can download NNT’s 800-171 tear sheet here.
WHEN IS NNT’S LOG TRACKER ENTERPRISE™ REQUIRED?
If a NIST 800-171 compliance target already has a SIEM product/solution implemented, then it is unlikely that they need Log Tracker™. Change Tracker™ Gen 7 R2 would need to be deployed and can integrate with any of the leading SIEM providers.
CHANGE TRACKER™ GEN 7 R2 AND OTHER LEADING FRAMEWORKS?
NNT maps directly into the leading technology frameworks. ITIL and COBIT for example map directly to the system configuration management and change control features provided by NNT. NNT also directly maps to the foundational, critical controls laid out by the Center for Internet Security and SANS.