The National Institute of Standards and Technology (NIST) is the official measure institute for the United States. It is a non-regulatory government agency that belongs to the Department of Commerce. NIST is responsible for creating measurement standards to improve efficiency in data centers. The NIST has recently released Special Publication 800-171 which covers the security of Controlled Unclassified Information (CUI), specifically in Information Systems and Organizations outside of the government.
This new publication provides guidance on ensuring that systems designed to process, store, or transmit CUI information are properly secured. Compliance with the 800-171 standard follows a set of technical policies outlined by NIST SP800-171. A deadline of December 31, 2017 has been set for compliance or to report delays.
What are the NIST 800-171 Requirement’s Origins
The National Archives and Records Administration was designated by Executive Order 13556 as the Executive Agent to create and implement the CUI program.
On August 26, 2015, and updated December 30, 2015, the United States Department of Defense (DoD) issued a new interim rulemaking significant changes to the way the US DoD addresses cyber security. As a supplier, you should be aware of the significantly expanded obligations on defense contractors and subcontractors with regard to the protection of unclassified Covered Defense Information (CDI) and the reporting of cyber incidents occurring on unclassified information systems that contain such information. The applicable Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. Key changes are summarized below. It is imperative that all suppliers fully understand their obligations required under this new clause.
Who is Responsible for Maintaining the NIST 800-171 Program?
The Information Security Oversight Office (ISOO) of the National Archives and Records Administration is responsible for it. ISSO issued a memorandum in April of 2013 to government agency leads on the program’s management.
The Information Security Oversight Office (ISOO) exercises Executive Agent responsibilities for the CUI Program. In consultation with the Office of Management and Budget and affected agencies, on September 14, 2016, ISOO issued CUI Notice 2016-01, ‘Implementation Guidance for the Controlled Unclassified Information Program.’ CUI Notice 2016-01 outlines the phased implementation deadlines for agencies and describes the significant elements of a CUI Program.
ISOO’s memorandum to the heads of executive departments and agencies, “Appointments of Senior Agency Official and Program Manager for the Controlled Unclassified Information (CUI) Program Implementation,” dated April 11, 2013, requested that agencies affirm or update their initial designations of their CUI Senior Agency Official (SAO) and also requested that they assign a CUI Program Manager (PM).
NIST 800-171 affects whom exactly?
Any individual or business/contractor who processes, stores, or transmits information for or with federal or state agencies that falls into one of many CUI categories is affected. This includes all governmental contractual relationships. Nearly all private industry companies are going to be subjected to the security requirements as dictated by NIST 800-171
The CUI categories list of information has been made available by NARA here.
What are the NIST 800-171 requirements?
There are 14 categories of security requirement. Each category has a set of policy tests which affected programs must meet.
- Access Control
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Physical Protection
- Personnel Security
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
NIST 800-171 R1 is simply the minimum set of controls, as adopted by the US Department of Defense, required to protect controlled unclassified information (CUI) outside of the government. FedRAMP is the Federal Risk and Authorization Management Program, which is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Another simple way to say that is, “FedRAMP is US government audited secure application and data hosting.”
Since NIST 800-171 R1 is just a 38% subset of the FedRAMP control baseline and FedRAMP compliance is where the commercial hosting market is headed to satisfy the needs of hosting government data, then the easiest and often least expensive way to ensure conformity with NIST 800-171 R1 is to host your company’s applications and data in a FedRAMP-Authorized Cloud.
|Control Family||NIST SP||FedRAMP||NIST SP|
|800-53 R4||Baseline||800-171 R1|
|AT||AWARENESS & TRAINING CONTROLS||10||5||3|
|AU||AUDIT & ACCOUNTABILITY CONTROLS||62||19||13|
|CA||SECURITY ASSESSMENT AND AUTHORIZATION CONTROLS||24||15||3|
|CM||CONFIGURATION MANAGEMENT CONTROLS||55||28||13|
|CP||CONTINGENCY PLANNING CONTROLS||10%||24||1|
|IA||IDENTIFICATION AND AUTHENTICATION CONTROLS||57||24||11|
|IR||INCIDENT RESPONSE CONTROLS||34||18||7|
|MP||MEDIA PROTECTION CONTROLS||28||11||8|
|PE||PHYSICAL AND ENVIRONMENTAL PROTECTION CONTROLS||53||22||5|
|PS||PERSONNEL SECURITY CONTROLS||16||6||3|
|RA||RISK ASSESSMENT CONTROLS||16||10||4|
|SA||SYSTEM AND SERVICES ACQUISITION CONTROLS||98||23||1|
|SC||SYSTEM AND COMMUNICATIONS PROTECTION CONTROLS||140||32||16|
|SI||SYSTEM AND INFORMATION INTEGRITY CONTROLS||91||26||7|
|Total Control Count:||905||326||126|
Key Components of NIST 800-171
NIST 800-171 is more than just 126 cybersecurity controls, however. This is a common misconception, likely due to people scanning over the document and believing the main controls listed in Chapter 3 are the only ones that matter, along with the mapping to ISO 27002 and NIST 800-53 in Appendix D. Also within scope is Appendix E of NIST 800-171 which describes the Non-Federal Organization (NFO) controls as “expected to be routinely satisfied by nonfederal organizations without specification.”
The “moderate baseline” of NIST 800-53 is described in the footnotes section of the first page of Appendix E, for the protection of CUI for contractors. The U.S. Government considers these controls mandatory as a basic component of a comprehensive security program.
To understand the controls expectations, go through Appendix E and consider both the CUI and NFO controls.
Three Key Steps To Get Compliant
- Define CUI As It Applies To Your Organization - Without clear guidance from contracting officers, contractors need to be proactive. Check your contract to see if CUI is defined. It’s not often defined clearly, but you are still required to be compliant. Categories you may easily fall under are listed here. Review the CUI Registry for similar examples of CUI based on your contract. Clearly establish your case for what you determine your in-scope CUI to be in a Memorandum for Record (MFR) or other similar document. As a subcontractor, you can provide that MFR to your prime contractor with a response deadline (e.g., 14 days). As a prime contractor, you can provide that MFR to your government contracting officer with a similar response deadline. If you don’t get a response, you will have evidence of due care, as you took reasonable steps to properly seek clarification on and define your CUI obligations.
- Minimize Compliance by Scoping Your Network - Once you have your CUI defined, identify where it’s stored, processed, and transmitted on your network(s). If you don’t have comprehensive Data Flow Diagrams (DFDs), you should generate them specifically to determine how CUI traverses your network and identify where it is processed and stored. Once you have your DFDs, you should generate architectural network diagrams to document what network-based controls exist in your environment specifically protecting CUI. With the DFD and network diagrams, you can find ways to segregate the CUI environment making the scope of compliance a smaller percentage of your network.
- Show Evidence of Compliance - Once you know how your CUI is defined and where it’s located on your network, you should go through Appendix D and E of NIST 800-171 to determine what controls apply to your environment. If you’ve done well scoping your environment, there may be controls that are no longer applicable or only apply to a small percentage of your network. This is where you should document and explain those controls are either complied with or not applicable. Some controls are administrative, such as having policies, standards, and procedures that are clearly documented. Other controls require technological solutions. This is where you must generate evidence specific to your organization.
If you want to utilize a cybersecurity consultant, at least run through these requirements and address any “low hanging fruit” controls and document what your organization is currently doing, as most of the controls are not complicated or technical in nature, saving you higher consulting fees and will allowing the consultant to focus their attention, (and your money,) on the more complicated issues.
What If I Can’t Meet The NIST 800-171 Deadline?
If you think you might not meet the deadline, don’t, fret. There is a process to deal with non-compliance which requires a contractor to submit a written request for variance to complying with NIST 800-171 to your government contracting officer.
DFARS does not give any additional explanation of the process other than the contractor must have alternative, equally effective, measures in place to offset controls that cannot be implemented provided the variance is approved.
Variances are not guaranteed, and it is not a wise decision to “beg for forgiveness” regarding meeting NIST 800-171 compliance as there will be compliant companies that are willing and able to pick up any slack. These companies will likely benefit from contracts dropped due to non-compliance.