Ahead of the upcoming December 31, 2017 deadline for federal defense contractors to implement National Institute of Standards and Technology (“NIST”) Special Publication 800-171 (“SP 800-171”), NIST has released a new draft publication designed to assist organizations in assessing compliance under SP 800-171, Draft Special Publication 800-171A, Assessing Security Requirements for Controlled Unclassified Information (“CUI”) (“SP 800-171A”).
Currently, there is no regulation or statute that imposes SP 800-171A on contractors. Rather, SP 800-171A is intended as guidance for organizations in developing assessment plans and conducting “efficient, effective, and cost-effective” assessments of the implementation of security controls required by SP 800-171. Similar to SP 800-171, SP 800-171A does not prescribe specific, required assessment procedures. Instead, SP 800-171A provides a series of “flexible and tailorable” procedures that organizations could use for conducting assessments with each security control in SP 800-171. SP 800-171A specifically recognizes three distinct methods for conducting assessments: examining and interviewing to facilitate understanding, achieve clarification, or obtain evidence and testing to compare actual results with expectations.
Requirements of SP 800-171A:
Following the format of SP 800-171, SP 800-171A groups its assessment procedures by the fourteen families of CUI security control requirements, and highlights how an assessor could examine, interview, or test each particular control at issue. Although SP 800-171A suggests a majority of the controls could be evaluated using all three methods, it does recognize that some of the controls can only be effectively assessed using a subset of the three methods. SP 800-171A also recognizes that organizations may not need to test every control – controls that are not applicable to a particular organization should not be tested in the assessment, but should instead be documented as non-applicable in the organization’s System Security Plan (“SSP”).
Consistent with its recent update to NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations (“SP 800-53”), in creating this publication, NIST used the term “system” rather than “information system” to reflect that CUI needs to be safeguarded on a broader array of contractor information systems such as industrial and process control systems, cyber-physical systems, and individual devices that are part of the Internet of Things.
Impact on Contractors:
Although there is currently no requirement that defense contractors follow the procedures in SP 800-171A, the draft publication was designed as “a starting point” for organizations to use in developing assessment plans and determining compliance with NIST SP 800-171. In particular, SP 800-171A notes that “[o]rganizations can use the assessment procedures to generate evidence to support the assertion that the security requirements have been satisfied.” Such evidence could be used in a variety of ways, such as the basis for identifying security related weaknesses in a system, as an aid in source selection, or by the Defense Contract Management Agency (“DCMA”) when auditing contractor compliance with Defense Federal Acquisition Regulation Supplement (“DFARS”) clause 252.204-7012.
Attached to SP 800-171 is an appendix that provides supplemental guidance for implementing and assessing the CUI security requirements in SP 800-171. As currently drafted, many of the SP 800-171 security controls are only a sentence or two long. The supplemental guidance is based on the more fulsome “security controls in NIST Special Publication 800-53 and is provided to give assessors a better understanding of the mechanisms and procedures used to implement the safeguards employed to protect CUI.” NIST states that this supplemental guidance will be included in the next update to SP 800-171.
As noted in a previous blog post, NIST is in the process of revising SP 800-53, which only applies to federal systems. One of the stated objectives of the revised version, however, is to make SP 800-53’s cybersecurity and privacy standards and guidelines accessible to non-federal and private sector organizations for voluntary use on their systems. As a result, because NIST is incorporating this guidance more explicitly, defense contractors may ultimately see a blurring of some of the requirements of SP 800-171 versus SP 800-53.
NIST is seeking comment on draft publication SP 800-171A no later than December 27, 2017. Comments can be emailed to sec-cert@nist.gov.