On June 19, 2019, the National Institute of Standards and Technology (“NIST”) announced the long-awaited update to Special Publication (“SP”) 800-171 Rev. 1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, which includes three separate but related documents.

First, NIST has announced an update to SP 800-171 Rev. 1, which is referred to as SP 800-171 Rev. 2. NIST characterizes the changes in SP 800-171 Rev. 2 as only “minor editorial changes,” including reordering the document and updating the contents of the Appendices. NIST emphasized that there are no changes to the basic or derived security requirements in Rev. 2; in other words, the same 110 total security requirements to ensure the confidentiality of CUI under SP 800-171 Rev. 1 remain unchanged in SP 800-171 Rev. 2. NIST notes, however, that a “comprehensive update” to SP 800-171—including updates to the basic and derived security requirements—“will be forthcoming” in Revision 3; the publication of Revision 3 will follow NIST’s upcoming final draft of SP 800-53, Security and Privacy Controls for Information Systems and Organizations “which will include modified control families, privacy integration, and make other conforming edits that are necessary.”

Second, NIST has announced the publication of an entirely new document, SP 800-171B, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets, which was drafted in response to what has been characterized by NIST as “an ongoing barrage of serious cyber attacks,” resulting in the loss and/or exposure of controlled unclassified information (“CUI”) that, in turn, prompted the Department of Defense (“DoD”) to request additional guidance from NIST. NIST describes SP 800-171B as a supplement to SP 800-171 Rev. 2 that contains recommended enhanced security requirements designed to protect designated “high value assets” or “critical programs” that contain CUI that are of interest to advanced persistent threats (“APTs”).

NIST characterizes the enhanced security requirements in SP 800-171B as providing the foundation for a “new multidimensional, defense-in-depth protection strategy that includes three, mutually supportive and reinforcing components: (1) penetration resistant architecture; (2) damage limiting operations; and (3) designing for cyber resiliency and survivability.” Indeed, NIST specifically recognizes that these requirements are necessary because the basic and derived requirements in SP 800-171 Rev 2, which are currently required by the Defense Federal Acquisition Regulation Supplement (“DFARS”) 252.204-7012, “are not designed to address the [advanced persistent threat (“APT”)].” NIST also recognizes that many contractors may require the assistance of third parties to implement these enhanced requirements and that “despite the best protection measures implemented by organizations, the APT may find ways to breach or compromise those primary boundary defenses and deploy malicious code within a defender’s system.”

The enhanced security requirements of SP 800-171B are organized into the same 14 security requirement families as SP 800-171 Rev. 2, although there are no enhanced security requirements associated with four of the 14 families: Audit and Accountability, Maintenance, Media Protection and Physical Protection. There are enhanced security requirements associated with the remaining ten families, with more than a third of the total enhanced security requirements associated with the System and Information Integrity and Risk Assessment families. Each requirement is followed by a “discussion section” that is intended to provide additional information to facilitate the implementation and assessment of the enhanced security requirements.

Third, NIST has announced the publication of a DoD cost estimate, Request for Comments on Draft NIST Special Publication (SP) 800-171B, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations – Enhanced Security Requirements for Critical Programs and High Value Assets (the “Cost Estimate”). The Cost Estimate makes clear that the enhanced security requirements under SP 800-171B are focused on designated high value assets or critical programs that contain CUI (i.e., are, at least in theory, intended to apply to a more narrow subset of contractors than those subject to the requirements of SP 800-171 under DFARS 252.204-7012), which will be designated on a contract-by-contract basis. In total, DoD has estimated these requirements “will affect less than [0.05%] of an overall contractor base” that currently processes DoD CUI.

The Cost Estimate also analyzes the costs associated with the implementation and maintenance of the SP 800-171B requirements, which it characterizes as “typically being an allowable contract cost to the government.” The Cost Estimate identifies Systems and Communication Protection requirement 3.13.4e (“employ physical and logical isolation techniques in the system and security architecture”) as the “primary factor” impacting the cost of implementation. The Cost Estimate further explains that this requirement “generally means isolating the IT environment where critical program capabilities are developed from the IT environment processing other CUI, or developing commercial products.”

Impact on Contractors

Although the ultimate impact of the publication of SP 800-171B is not entirely certain, it is clear that the government intends to impose the enhanced security requirements of SP 800-171B on a contract-by-contract basis when, in the government’s assessment, a contract involves designated high value assets or critical programs that contain CUI of interest to APTs.

Although DoD has stated the requirements will only apply to a very small subset of government contractors, how broadly these requirements will apply remains uncertain. Given the government’s increased focus on protecting its information from cyber threats, it is conceivable that DoD may ultimately impose the enhanced security requirements of SP 800-171B on more than just the 0.05% of contractors that DoD currently projects. In the short term, contractors should assess whether they need outside expertise to meet these requirements and ensure that they are ready to respond to an incident should one occur—for example, not only by ensuring incident response plans are updated, but also by periodically testing the plans with scenarios involving APTs . As NIST notes in SP 800-171B, the Government recognizes that an APT may get through even the best protection measures; nevertheless, in the event of an incident, the Government will judge contractors on how they respond to the incident.

In addition to commenting on the requirements and attempting to shape the final draft appropriately, contractors should now consider their ability to comply with the enhanced security requirements of SP 800-171B because successful implementation of these requirements may take time and require the investment of additional resources. Further, a thorough review of future contracts for inclusion of the enhanced security requirements of SP 800-171B must be added to every contractor’s solicitation review, even where contractors do not believe their contracts are likely to involve designated high value assets or critical programs of interest to APTs.

Finally, although DoD has stated that costs of compliance are “allowable costs,” this does not account for commercial item contractors that do not work on a cost reimbursable basis. Those contractors will need to recover these costs in the prices of their goods and services provided to the government.

Public Comment

NIST is seeking public comment on the initial drafts of SP 800-171 Rev. 2, SP 800-171B, and the Cost Estimate, and, due to an extension announced on July 10, 2019, the public comment period will be open until August 2, 2019.  Comments on SP 800-171 Rev. 2 and SP 800-171B can be submitted to NIST via email to sec-cert@nist.gov, while comments on the Cost Estimate can be submitted to the DoD via a Regulations.gov Docket ID DOD-2019-OS-0072. NIST has cautioned that comments on SP 800-171B will be posted without change or redaction to both the Protecting CUI Project and the Regulations.gov Docket ID NIST-2019-0002 and thus, should not include personal or business information commenters do not wish to make public.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information, as well as representing contractors facing allegations of cyber fraud under the False Claims Act. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.

Photo of Ashden Fein Ashden Fein

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients…

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Additionally, Ashden assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security and insider risks. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Ashden currently serves as a Judge Advocate in the
U.S. Army Reserve.

Photo of Moriah Daugherty Moriah Daugherty

Moriah Daugherty advises clients on a broad range of cybersecurity, data privacy, and national security matters, including government and internal investigations, regulatory inquiries, litigation, and compliance with state and federal privacy laws.

As part of her cybersecurity practice, Moriah specializes in assisting clients…

Moriah Daugherty advises clients on a broad range of cybersecurity, data privacy, and national security matters, including government and internal investigations, regulatory inquiries, litigation, and compliance with state and federal privacy laws.

As part of her cybersecurity practice, Moriah specializes in assisting clients in responding to cybersecurity incidents, including matters involving Advanced Persistent Threats targeting sensitive intellectual property and personally identifiable information. Moriah also assists clients in evaluating existing security controls and practices, assessing information security policies, and preparing for cyber and data security incidents.

As part of her litigation and investigations practice, Moriah leverages her government experience to advise clients on national security and law enforcement related compliance issues, internal investigations, and response to government inquiries.

Prior to becoming a lawyer, Moriah spent eight years working for the Federal Bureau of Investigation and U.S. Department of Justice.