Jessica Hoffman and Sese Bennett, guest bloggers

Have you heard about the new NIST Special Publication 800-171 yet?

If not, this blog contains important information that could affect how you contract with the federal government.  If you are like the thousands of other government contractors struggling to understand what this means and how many resources it will take to become compliant, know that you are not alone!  Don’t worry, odds are you are already in compliance to a large degree.

Cybersecurity breaches are a common threat that seems almost normal in this day and age.  However, our government, along with the security expertise of NIST, continue to seek more secure and efficient ways to safeguard our data. When determining the level of information security your organization should implement, the risks of your data being compromised should be the driving factor.  Less-obvious, lower risk organizations are targets for the theft of confidential government information, and the federal government now is taking additional steps to safeguard their security.

A primary target for hackers are non-federal organizations that have access to federal data including citizen’s higher education, tax, and healthcare records. This type of information is of high value to malicious users looking to either directly exfiltrate this information or establish a foothold as a jumping off point to larger federal agency targets.  Additional organizations of interest are higher learning institutions that leverage government data for research, development, and/or government grants.  Although data in transit must be protected per federal encryption requirements, the larger question that comes to mind is – What controls should be in place to also protect the data once it reaches the intended recipient?  That is where NIST 800-171 becomes relevant. This new standard was implemented to help fill the gaps of protecting Controlled Unclassified Information (CUI) on non-federal information systems.

CUI is defined as “information that law, regulation, or government-wide policy requires safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended (Executive Order 13556)”.  So what does this long and complex government definition really mean?

If you are a government support contractor, for example, that has access to federal information systems or government data that isn’t labeled as classified, or a university using Medicare data for statistical research, you may have access to CUI as part of your contract and therefore obligated to protect it.  Any contractor that supports federal information systems and has access to CUI is potentially impacted by NIST SP 800-171, and CUI isn’t necessarily limited to raw data records. It also applies to data that is collected, stored, and documented in support of federal information system.  This includes project management, technical writing, system development, and consulting.

One of the most frequent questions organizations have regarding NIST SP 800-171 is concerning the major differences between NIST SP 800-171 and the better known NIST SP 800-53 standard. At a high level, the NIST SP 800-53 security standard is intended for internal use by the Federal Government and contains controls that often do not apply to a contractor’s internal information system. NIST SP 800-53 provides federal organizations with the top level requirements and is more specific to providing security and privacy controls for federal information systems and organizations.

On the other hand, NIST SP 800-171 applies to internal contractor information systems provides a standardized set of requirements for all CUI security needs to allow non-federal organizations to be in compliance with statutory and regulatory requirements by consistently implementing CUI safeguards. Additionally, many of the NIST SP 800-171 controls are about general best security practices for policy, process, and configuring IT securely and this means in many regards, NIST SP 800-171 is viewed as less complicated and easier to understand than its NIST SP 800-53 counterpart.

NIST SP 800-171 is unique in that it is tailored to eliminate FIPS 200 and NIST SP 800-53 requirements that are: 1.) specific to government-owned systems, 2.) not related to CUI, or 3.) expected to be satisfied without specifications (i.e., policy and procedure controls). NIST SP 800-171 includes just over a hundred controls broken across 14 control families and is more concise in nature, making it less complex to implement for non-federal organizations.

One of the unique characteristics of the NIST SP 800-171 is the flexibility non-federal organizations have in defining how requirements are implemented. The requirements do not mandate any particular technological solutions, and allow contractors, if they choose, to protect information using the systems they already have in place, rather than trying to use government-specific approaches. This is great news for organizations that already have existing mature systems and will likely mean that they will not have to “rip and replace” their existing security program.

Security requirements in NIST SP 800-171 are designed to protect CUI residing in contractor information systems while generally reducing the burden placed on contractors to maintain federal-centric processes and requirements.  Compliance with NIST SP 800-171 should be viewed as an opportunity to be good stewards of government data as well as an opportunity for these organizations to compete for federal opportunities that others may not qualify for. This is indeed good news for compliant organizations seeking to do business with the federal government.

FISMA Compliance Guide