National Institute of Standards and Technology

On December 30th, the Department of Defense (DoD) issued a Second Interim Rule amending its “Network Penetration Reporting and Contracting for Cloud Services” Interim Rule and giving  contractors until December 31, 2017 to implement the NIST SP 800-171 security controls required by DFARS 252.204-7012.  As noted in a previous post, DoD has already issued a class deviation giving covered contractors up to nine (9) months (from the date of contract award or modification incorporating the new clause(s)) to satisfy the requirement for “multifactor authentication for local and network access” found in Section 3.5.3 of NIST SP 800-171.  This current revision appears responsive to significant concerns raised by Industry about compliance with the remaining safeguarding requirements imposed overnight on contractors on August 26, 2015.

The Second Interim Rule imposes the following changes:
Continue Reading Time Is On My Side: DoD Hears Industry Concerns – Additional Time Provided to Implement Security Controls Under New Cyber Rule

Pursuant to Executive Order 13,556 and as forecasted in the draft of the National Institute for Standards and Technology’s (“NIST”) Special Publication (“SP”) 800-171, the National Archives and Record Administration (“NARA”) released on May 8, 2015 a proposed rule addressing the government-wide designation and safeguarding of Controlled Unclassified Information[1] (“CUI”) (“the Proposed CUI Rule” or “the Rule”).  On June 18, 2015, NIST released the final version of SP 800-171, which provides guidance for protecting the confidentiality of CUI residing in nonfederal information systems.

SP 800-171 also includes interpretations of and best practices for compliance with the Proposed CUI Rule.  As a result, reading SP 800-171 in conjunction with the Proposed CUI Rule suggests that contractors may soon face significant additional burdens for safeguarding government information on their systems.


Continue Reading New Proposed Rule and Accompanying Guidance May Impose Additional Cybersecurity Burdens on Contractors Handling CUI

On December 18, 2014, President Obama signed a bill reforming the Federal Information Security Management Act of 2002 (“FISMA”). The new law updates and modernizes FISMA to provide a leadership role for the Department of Homeland Security, include security incident reporting requirements, and other key changes.

Background:  FISMA was originally passed in 2002 to provide a framework for the development and maintenance of minimum security controls to protect federal information systems. FISMA charged the Director of the Office of Management and Budget (“OMB”) with oversight of agency information security policies and practices.

Changes:  The newly signed law, the “Federal Information Security Modernization Act of 2014” (FISMA 2014”), makes several key changes to FISMA.

First, the law authorizes the Secretary of the Department of Homeland Security (“DHS”) to assist the OMB Director in administering the implementation of agency information and security practices for federal information systems. Among the Secretary’s responsibilities are convening meetings with senior agency officials, coordinating government-wide efforts for information security, consulting with the Director of the National Institute of Standards and Technology (“NIST”), and providing operational and technical assistance to agencies. Perhaps most importantly, the Secretary is tasked with developing and overseeing the implementation of “binding operational directives” to agencies to implement policies, principles, standards, and guidelines developed by the OMB Director. “Binding operational directives” are defined in FISMA 2014 as a “compulsory direction” to an agency “for the purposes of safeguarding Federal information and information systems from a known or reasonably suspected information security threat, vulnerability or risk.”

This delegation of responsibility is likely related to another new law codifying DHS’s cybersecurity role, and authorizing a cybersecurity information-sharing hub, the National Cybersecurity and Communications Integrations Center.
Continue Reading FISMA Updated and Modernized

A major piece of IT acquisition reform legislation called the Federal Information Technology Acquisition Reform Act (“FITARA”), on which we have previously reported, was included in version of the National Defense Authorization Act for Fiscal Year 2015 (“NDAA FY 15”) passed by the House on December 4, 2014, along with other significant IT reform provisions related to open systems requirements for the Department of Defense (“DoD”).

The FITARA portion of the bill includes provisions that would require the federal government to:

  • empower Chief Information Officers (“CIOs”) and prevent the CIO from delegating the duty of reviewing IT contracts before the agency enters into the contract;
  • provide a publicly available list for each major information technology investment, both new and existing, that lists information specified in forthcoming investment evaluation guidance;
  • engage in a detailed review of high-risk information technology investments to identify problems;
  • inventory all information technology;
  • implement a federal data center consolidation initiative, which will include publicized goals regarding cost savings and optimization improvements to be achieved as a result of the initiative, and must be performed consistent with federal guidelines on cloud computing and cybersecurity such as FedRAMP and NIST guidelines;
  • expand the use of specialized IT acquisition experts;
  • develop a federal strategic sourcing initiative to be developed by GSA, which will allow for the use of governmentwide user license agreements.

Additional provisions require the use of open and modular strategies by the DoD, including the following requirements
Continue Reading Federal Information Technology Reform Act Included in the House-Passed NDAA FY 15

On November 18, the National Institute of Standards and Technology (“NIST”) released Draft Special Publication 800-171 (“SP 800-171”), which includes new recommended security controls for nonfederal organizations such as government contractors, state and local governments, and colleges and universities that “process, store, or transmit” controlled unclassified information (“CUI”) on their own systems.  These draft standards were issued pursuant to Executive Order 13556, Controlled Unclassified Information (“CUI EO”), which called for the establishment of a uniform government approach for managing unclassified information requiring safeguarding or dissemination controls.  The draft standards are based on the security requirements and controls in FIPS Publication 200 and NIST SP 800-53, but were tailored to eliminate requirements that are uniquely federal, related primarily to availability, and/or presumably already routinely satisfied by nonfederal organizations.

To maintain the security of CUI, the CUI EO instructed the National Archives and Records Administration (“NARA”) to collaborate with various agencies to propose CUI classifications and associated markings, and issue any directives necessary to implement the CUI EO.  As noted in SP 800-171, “the CUI program is designed to address several deficiencies in managing and protecting unclassified information to include inconsistent markings, inadequate safeguarding, and needless restrictions, both by standardizing procedures and by providing common definitions” through a federal CUI Registry.  This Registry outlines 22 top-level categories of data, with subcategories covering everything from electronic fund transfers to source selection in the procurement process.  Although the categories of information included in the Registry are unclassified, the government has determined that additional safeguarding – such as storage on a secure server – or limitations on sharing the data should be employed.  To ensure that controls are reasonable and justified , the CUI EO requires each category to be based in statute, regulation, or government-wide policy, and the Registry lists such authorizations.


Continue Reading NIST Draft Standards Provide Guidance For Protecting CUI on Contractor Systems

On February 12, 2013, President Obama issued Executive Order 13636, which directed federal agencies to undertake a broad range of tasks aimed at enhancing the security and resilience of the nation’s critical infrastructure.  One task directed the National Institute of Standards and Technology (“NIST”) to establish a technology-neutral, voluntary, risk-based cybersecurity framework. A year later,