June 26, 2015
Last week the National Institute of Standards and Technology (“NIST”) issued Special Publication (“SP”) 800-171. The publication is significant as it provides federal agencies guidance and recommended information security requirements to be included in contracts or other agreements to protect the confidentiality of controlled unclassified information (“CUI”) residing in nonfederal systems. Specifically, the publication expressly encourages federal agencies to begin incorporating the recommended security requirements into appropriate contracts. Thus, while this guidance does not, itself, impose security requirements on contractors, its recommended requirements may soon be appearing in your future contracts. Contractors should, therefore, closely examine solicitations and awards going forward, be alert for the incorporation of the requirements in NIST SP 800-171, and, when incorporated, carefully review and compare the security requirements to their current information security practices to close any gaps.
A threshold question for contractors is whether their information systems contain the types of information classified as CUI that is covered by NIST SP 800-171. Complicating this inquiry, however, is the fact that current definitions are murky, which may result in inconsistent enforcement across the various federal agencies. For example, NIST SP 800-171 somewhat circularly defines CUI as “information that law, regulation or governmentwide policy requires to have safeguarding or disseminating controls,” with the exclusion of classified information.
Recognizing the need for uniformity, NARA’s proposed rule to implement NIST SP 800-171 would also establish an online “CUI Registry” updated and maintained by NARA. This registry would initially identify twenty-three categories and eighty-two subcategories of information considered to be CUI, such as copyright, critical infrastructure, export control, financial, patent, and SAFETY Act information. The scope of information included within CUI is much broader than the scope of information covered by existing DFARs clause, DFARS 252.204-7012, Safeguarding of Unclassified Controlled Technical Information, which focuses on technical information with military or space application.1
Given the broad scope of the CUI definition, it is likely that many contractors will house at least some information falling within one or more of these categories. NIST SP 800-171 contains over 100 recommended requirements drawn from existing federal information system computer security requirements found in two key NIST documents that may be well-known by many contractors: Federal Information Processing Standard (“FIPS”) Publication 200 and NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. Both of these documents help define the minimum level of information security required by the Federal Information Security Management Act ("FISMA"). Contractors currently collecting or maintaining information on behalf of a federal agency, or operating or using information systems on behalf of a federal agency, already must comply with these FISMA requirements. NIST SP 800-171 looks to extend the reach of those requirements by applying certain of those requirements to all nonfederal information systems housing CUI.
Specifically, NIST SP 800-171 organizes the security requirements for protecting the confidentiality of CUI into two tiers: “basic security requirements” adopted from FIPS Publication 200 and “derived security requirements” which supplement the basic security requirements and are rooted in NIST SP 800-53. NIST SP 800-171 uses the FISMA “moderate” controls as a baseline, but then removes certain uniquely federal controls and controls unrelated to protecting confidentiality to establish the set of recommended security requirements for nonfederal information systems housing CUI. The result is a selection of requirements from fourteen of the seventeen security control families in NIST SP 800-53, including Access Control, Configuration Management, Identification and Authentication, and System and Communications Protection. The guidance also includes a chart that maps each requirement to a corresponding security control that is intended to aid contractors inspecting their current information security systems for compliance.2
This new guidance is a reminder that now, more than ever before, the government expects contractors to make information security a priority. Looking forward, contractors should prepare for the coming regulatory changes and be watching for the requirements recommended in NIST SP 800-171 in their future awards.
1 Adding to the complexity and potential confusion in this area, the more than 50 security controls adopted from NIST SP 800-53 and incorporated into DFARS 252.204-7012 are not identical to those drawn upon in the creation of NIST SP 800-171.
2 The guidance is quick to point out that because SP 800-171 does not adopt all of the SP 800-53 controls, compliance with a security requirement in NIST SP 800-171 does not equate to compliance with the related FISMA requirements specified in NIST SP 800-53.