On November 18, the National Institute of Standards and Technology (“NIST”) released Draft Special Publication 800-171 (“SP 800-171”), which includes new recommended security controls for nonfederal organizations such as government contractors, state and local governments, and colleges and universities that “process, store, or transmit” controlled unclassified information (“CUI”) on their own systems.  These draft standards were issued pursuant to Executive Order 13556, Controlled Unclassified Information (“CUI EO”), which called for the establishment of a uniform government approach for managing unclassified information requiring safeguarding or dissemination controls.  The draft standards are based on the security requirements and controls in FIPS Publication 200 and NIST SP 800-53, but were tailored to eliminate requirements that are uniquely federal, related primarily to availability, and/or presumably already routinely satisfied by nonfederal organizations.

To maintain the security of CUI, the CUI EO instructed the National Archives and Records Administration (“NARA”) to collaborate with various agencies to propose CUI classifications and associated markings, and issue any directives necessary to implement the CUI EO.  As noted in SP 800-171, “the CUI program is designed to address several deficiencies in managing and protecting unclassified information to include inconsistent markings, inadequate safeguarding, and needless restrictions, both by standardizing procedures and by providing common definitions” through a federal CUI Registry.  This Registry outlines 22 top-level categories of data, with subcategories covering everything from electronic fund transfers to source selection in the procurement process.  Although the categories of information included in the Registry are unclassified, the government has determined that additional safeguarding – such as storage on a secure server – or limitations on sharing the data should be employed.  To ensure that controls are reasonable and justified , the CUI EO requires each category to be based in statute, regulation, or government-wide policy, and the Registry lists such authorizations.

The contracting community, particularly the defense community, has seen a number of initiatives in response to the CUI EO and the subsequent Executive Order 13,636, Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive 21, Critical Infrastructure Security and Resilience.  Those initiatives have included a new DoD Instruction (8582.01) issued in June 2012 requiring “adequate security” for all unclassified DoD information on non-DoD information systems; DoD’s final rule on Unclassified Controlled Technical Information (“UCTI”) issued in November 2013 providing direction both for protecting UCTI on defense contractor systems and for reporting related cyber incidents, and a proposed FAR rule from August 2012 that remains under consideration.  As a result, non-federal entities are currently subject to a wide range of contract clauses and guidance from different agencies, some of which may be conflicting.  SP 800-171’s standards could provide some consistency for how contractors should handle CUI.

Impact on Contractors:

A key takeaway for contractors is that SP 800-171’s “Notes to Reviewers” provide that a new FAR clause is an expected next step.  Based on this expectation, NIST advises that “[u]ntil the formal process of establishing such a single FAR clause takes place, where necessitated by exigent circumstances, NIST Special Publication 800-171 may be referenced in a contract-specific requirement on a limited basis consistent with the regulatory requirements.”  Thus, contractors should remain alert for contract provisions requiring adherence to SP 800-171.

A second draft of SP 800-171 is expected in March 2015, with a final document completed by June 2015.  Related FAR changes are expected soon thereafter.  NIST is currently seeking comments on SP 800-171 no later than January 16, 2016.  Comments can be emailed to sec-cert@nist.gov.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information, as well as representing contractors facing allegations of cyber fraud under the False Claims Act. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.