If you are a defense or government supplier – or if you are a subcontractor selling to a government supplier – you need to know about the NIST 800-171 mandate, and take steps to perform a NIST assessment to become NIST compliant as of December 31, 2017.
First, a little background about NIST
The National Institute of Standards and Technology (NIST) develops and issues standards, guidelines, and other publications to assist in managing cost effective programs to protect information and information systems of federal agencies. The resources that NIST provides are recognized by and utilized by IT security, compliance, and risk management professionals in all industries as a “standard” for best practices.
NIST is one of the nation’s oldest physical science laboratories and it is part of the US Department of Commerce. Congress established NIST in 1901 in an effort to remove a major challenge to US industrial competitiveness at the time—a second-rate measurement infrastructure that lagged behind the capabilities of the United Kingdom, Germany, and other economic rivals. The Information Technology Laboratory (ITL) at NIST promotes the US economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure.
What is NIST 800-171?
NIST Special Publication 800-171 (originally created in June 2015 and updated in December 2016) covers the protection of “Controlled Unclassified Information” (CUI) which is defined as information created by the government, or an entity on behalf of the government, that is unclassified, but needs safeguarding. NIST 800‑171 provides a set of guidelines that outline the processes and procedures that companies need to implement to safeguard this information.
The requirements recommended for use in this publication are derived from FIPS Publication 200 and the moderate security control baseline in NIST Special Publication 800‑53. NIST Special Publication 800‑53 covers security controls for US federal information systems except those related to national security. The requirements and security controls have been determined over time to provide the necessary protection for federal information and systems which are covered under FISMA (Federal Information Security Modernization Act of 2014). By complying with NIST 800‑171, you will also meet the majority of the criteria for NIST 800-53.
Controlled Unclassified Information (CUI)
CUI is defined as information created by the government, or an entity on behalf of the government, that is unclassified, but needs safeguarding. CUI is information that is sensitive and relevant to the interests of the US and potentially its national security, but not strictly regulated by the federal government.
CUI is Unclassified Information that is stored on “covered contractor information systems,” which indicates an unclassified information system that is owned (or operated by or for) a contractor and that processes, stores, or transmits covered defense information.
A “covered contractor information system” is defined in Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” paragraph (a).
In performance of a subcontract, if you anticipate operating a “covered contractor information system,” then ask yourself:
- Will you be in full compliance with the NIST SP 800-171 requirements by December 31, 2017?
- If not, do you intend to rely on the “alternative but equally effective security measures” provided for in DFARS 252.204‑7012(b)(2)(ii)(B)?
NIST 800-171 provides a set of guidelines that outline the processes and procedures that companies need to plan for and implement as of December 31, 2017 in order to achieve compliance in regards to controls around CUI. In working with several Department of Defense contractors, Corserva has also seen this information referred to as Covered Defense Information (CDI), formerly described as “Unclassified Information which is collected, developed, received, transmitted, used, or stored by or on behalf of the contractor.”
NIST: National Institute of Standards and Technology, founded in 1901
CUI: Controlled Unclassified Information
NIST 800-171: provides guidance as to how CUI should be accessed, shared, and stored in a secure fashion
NIST 800-53: provides a catalog of security controls for all US federal information systems except those related to national security
Types of CUI
Examples of CUI include email, electronic files, blueprints, drawings, proprietary company or contractor information (such as sales orders and contracts), and physical records (such as printouts). It is important to understand that CUI is not restricted to digital files; it can include paper copies, which are specifically referred to as “printed from an information system which processes or stores electronic files transmitted or stored on servers, desktops, laptops, mobile devices, etc.”
Who Needs to Comply?
Entities that deal with government controlled unclassified information must comply. (Learn more in "3 Myths About NIST 800-171.") Typical entities with this kind of information include universities, research institutions, consulting companies, service providers, and manufacturers, especially manufacturing companies that are prime contractors, or that sub for prime contractors, for various government contracts. These entities will almost always have CUI on premise or in cloud/provider based systems and applications.
NIST 800-171 is not confined to prime contractors. The NIST standards outlined must be met by anyone who processes, stores, or transmits this type of potentially sensitive information (CUI) for the DoD, GSA, or NASA and other federal or state agencies. This includes contractual agency relationships. There are negative ramifications for not being compliant that can include the loss of customers.
The good news for manufacturers who embark on the effort to meet the NIST 800-171 mandate is that it provides a competitive advantage over manufacturers that have not. Also, a side benefit of becoming compliant with NIST 800-171 is that once you do, you have also made significant progress on the path to comply with NIST 800-53, another competitive advantage. Once you meet the NIST 800-171 mandate, you can contact your customers to let them know, and ask them if they know if all of their suppliers are compliant.
Will I Receive Notification About NIST Compliance?
Some organizations will receive direct notification about their need to comply with the NIST 800-171 mandate. If you are a manufacturer, you may have been notified by a prime contractor or subcontractor stating that you need to comply with NIST 800-171 by December 31, 2017. Notification can come directly via mail or email. Alternately, you might be notified when logging into a portal that you use for procurement or order management. Keep in mind that if you receive no notification, this does not mean you do not need to comply with NIST 800-171.
It’s possible the notification was sent but the correct person to receive it never saw it. Corserva has worked with many manufacturers who never received formal notification to comply.
How to Comply with the NIST 800-171 Mandate
UPDATE AS OF NOVEMBER 2019: To increase the cybersecurity posture of companies operating in government supply chains, a new certification has been created, Cybersecurity Maturity Model Certification (CMMC).
The Department of Defense is planning to migrate to the new CMMC framework to enhance the cybersecurity posture of companies participating in government supply chains.
The CMMC framework will require all companies seeking compliance to work with an accredited and independent third-party organization to schedule a CMMC assessment.
You should seek out a vendor with experience in this area of compliance and assessment as well as comprehensive experience in project management. A major benefit to using an outside third party is the level of expertise you will gain. By using an outside third party, you gain advanced expertise in specific areas instead of one person with a high level view, such as when using an inside resource.
The assessment should consist of three phases:
#1 Information Gathering
#2 Data analysis
#3 Preparation of findings for presentation to management
In our experience at Corserva, each phase takes 20–30 days with most engagements (depending on the size of the organization and the technology utilized).
From this assessment, you will have a specific roadmap to follow on the path to achieve compliance. After the assessment, you should plan for ongoing validation on a regular basis to ensure you stay in compliance with NIST 800-171.
There are costs involved in becoming NIST compliant, but you may not need to spend as much as you think.
To learn more about NIST 800-171 compliance, sign up for a free, no obligation, call with Corserva’s experts in NIST compliance.