Why another NIST publication?
SP 800-171 was created specifically to address confidentiality concerns for federal data that resides on nonfederal systems. This data is referred to as Controlled Unclassified Information (CUI). The publication outlines what steps should be taken by nonfederal entities (read: contractors) to secure this data.
NIST SP 800-171 – Abstract
The protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations. This publication provides federal agencies with recommended requirements for protecting the confidentiality of CUI: (i) when the CUI is resident in nonfederal information systems and organizations; (ii) when the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and (iii) where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry. The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organization.
So is NIST 800-171 the same as NIST 800-53?
Well, no. It’s like SP 800-53’s blue-collar cousin. Many of the requirements feel very similar to 800-53, but controls focusing exclusively on data integrity and availability are missing. Gone are the familiar control family abbreviations (e.g. AC, CM), but in their place you’ll find Section 3.x (e.g. 3.1 – Access Control, 3.4 – Configuration Management).
The publication contains a complete mapping of 800-171 controls to 800-53 controls, primarily to demonstrate where the controls came from. For example, control 3.4.3 (800-171, 3.4 Configuration Management, Control #3 – Track, review, approve/disapprove, and audit changes to information systems.) maps directly to CM-3 (800-53, Configuration Change Control).
Is compliance mandatory?
Depends, but yes. Contractors that work in the Department of Defense (DoD) in particular are expected to adhere. On August 26, 2015, the Defense Acquisition Regulations System amended the DFARS to expand the scope of 252.204-7012. They renamed it Safeguarding Covered Defense Information and Cyber Incident Reporting and added verbiage that in effect states that DoD contractors must adhere to SP 800-171.
(b) Adequate security. The Contractor shall provide adequate security on all covered contractor information systems. To provide adequate security, the Contractor shall implement, at a minimum, the following information security protections:
(2)(ii)(A) The Contractor shall implement NIST SP 800-171.
(b)(2)(ii)(A) The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017. For all contracts awarded prior to October 1, 2017, the Contractor shall notify the DoD Chief Information Officer (CIO), via email at firstname.lastname@example.org, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award.
And just to make sure the word gets out, adherence to the 252.204-7012 was added in a DFARS clause as a notice to contract offerers. On December 30, 2015, after a chorus of contractors cried “not yet”, a new amendment was released delaying mandatory compliance to December 31, 2017. In the meantime though, upon award of a new contract, the contractor must notify the DoD CIO within 30 days of award of any non-compliance. The government basically said Ok, you’ve got some time to get compliant, but we still want to know where your problems are in the meantime.
(c) For covered contractor information systems that are not part of an information technology service or system operated on behalf of the Government-
(1) By submission of this offer, the Offeror represents that it will implement the security requirements specified by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.
Implement a compensating control and/or explain yourself.What if I know I won’t be 100% compliant?
(c)(2)(i) If the Offeror proposes to vary from any of the security requirements specified by NIST SP 800-171 that are in effect at the time the solicitation is issued or as authorized by the Contracting Officer, the Offeror shall submit to the Contracting Officer, for consideration by the DoD Chief Information Officer (CIO), a written explanation of:
(A) Why a particular security requirement is not applicable; or
(B) How an alternative but equally effective, security measure is used to compensate for the inability to satisfy a particular requirement and achieve equivalent protection.
We’re not in DoD. What about us?
You’re not off the hook, but you’ve got less paperwork to do (unless you want to get into DoD, in which case you should get compliant with 800-171). As of June 15, 2016, all federal contractors are expected to adhere to FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems. This clause hits the highlights of 800-171 without referencing it and without enumerating a series of specific controls. The requirements of this clause are high-level and intentionally vague.
(b)(1) The Contractor shall apply the following basic safeguarding requirements and procedures to protect covered contractor information systems. Requirements and procedures for basic safeguarding of covered contractor information systems shall include, at a minimum, the following security controls:
(i) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
(ii) Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
(iii) Verify and control/limit connections to and use of external information systems.
(iv) Control information posted or processed on publicly accessible information systems.
(v) Identify information system users, processes acting on behalf of users, or devices.
(vi) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
(vii) Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
(viii) Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
(ix) Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
(x) Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
(xi) Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
(xii) Identify, report, and correct information and information system flaws in a timely manner.
(xiii) Provide protection from malicious code at appropriate locations within organizational information systems.
(xiv) Update malicious code protection mechanisms when new releases are available.
(xv) Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
We’re subcontractors on civilian contracts. Do we count?
Depends. Are you using your own gear on the contract, or do you use the prime’s? If it’s the former, you’re invited to the party.
(c) Subcontracts. The Contractor shall include the substance of this clause, including this paragraph (c), in subcontracts under this contract (including subcontracts for the acquisition of commercial items, other than commercially available off-the-shelf items), in which the subcontractor may have Federal contract information residing in or transiting through its information system.