New obligations are being imposed on government contractors for protecting Controlled Unclassified Information (CUI). The National Institute of Standards and Technology (NIST), which is responsible for developing information security standards and guidelines, recently published Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, released June 2015. Contracting officers for federal agencies will impose the NIST recommended requirements for protecting the confidentiality of CUI:

  1. when the CUI is resident in nonfederal information systems and organizations;
  2. when the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and
  3. where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry.

The requirements will apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components.  The CUI requirements are intended for use by federal agencies in contracts or other agreements established between those agencies and nonfederal organizations.

When will the requirements of Special Publication 800-171 become mandatory?

The National Archives and Records Administration (NARA) plans to issue a federal regulation in 2015 to mandate the requirements of Special Publication 800-171 government-wide. Thereafter, in 2016, NARA plans to sponsor a single Federal Acquisition Regulation (FAR) clause that will require contractors to meet the specific measures for ensuring information security that are set forth in Special Publication 800-171. Given the amount of CUI throughout the federal government, it is likely that a significant number of government contractors will be affected by the new FAR clause.  Until the formal process of establishing a new FAR clause takes place, the CUI requirements of Special Publication 800-171 may be referenced in federal contracts consistent with federal law and regulatory requirements.

What is the purpose behind the new requirements?

Contractors routinely process, store, and transmit sensitive federal information in their information systems to support the delivery of essential products and services to federal agencies. For instance, contractors provide credit card and other financial services, web and email services, conduct background investigations for security clearances, process healthcare data, provide cloud services, and develop communications, satellite, and weapon systems. Federal information is also shared with state and local governments, colleges and universities, and independent research organizations. The CUI program is designed to address several deficiencies in managing and protecting unclassified information, including inconsistent markings, inadequate safeguarding, and unnecessary restrictions.

Is there any flexibility under the new requirements?

Yes. Nonfederal organizations can implement a variety of potential security solutions either directly or through the use of managed services to satisfy the CUI security requirements and may implement alternative, but equally effective, security measures to compensate for the inability to satisfy a particular requirement. To that end, compensatory security measures should be based on or derived from existing and recognized security standards and control sets, e.g., ISO 27001 or NIST Special Publication 800-53.

Does compliance with ISO 27001 or DFARS 252.204.7012 equal compliance with NIST Special Publication 800-171?

No. Compliance with ISO 27001 and DFARS 252.204.7012 does not meet the requirements of Special Publication 800-171. In fact, Special Publication 800-171 has as Appendix D, a mapping table that shows how the CUI security requirements of Special Publication 800-171 map to Special Publication 800-53 and ISO 27001 security controls, including notations where the ISO control does not fully satisfy the intent of the NIST control. As another example, the DFARS requirement for Unclassified Controlled Technical Information does not have a requirement for personal security found in Special Publication 800-171.

What information does the NIST Guide provide?

Special Publication 800-171 describes fourteen families of security requirements, including basic and derived requirements, for protecting the confidentiality of CUI in nonfederal information systems and organizations. The families are closely aligned with the minimum security requirements for federal information and information systems described in Federal Information Processing Standard (FIPS) 200, with exceptions for contingency planning, system, and services acquisition and planning requirements. The fourteen are as follows:

  1. Access Control – Limiting information system access to authorized users and devices, and the types of activities the authorized users are permitted to execute.
  2. Awareness and Training – Making sure managers, system administrators, and users are aware of the security risks associated with their activities, training them on applicable policies, standards, and procedures, and making sure they are trained appropriately to carry out their duties.
  3. Audit and Accountability – Creating, protecting, and retaining information system audit records to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.
  4. Configuration Management – Establishing, maintaining, and enforcing security configuration and inventories of organizational information systems (i.e., hardware, software, firmware, and documentation) throughout the respective system development life cycles.
  5. Identification and Authentication – Identifying and authenticating the information system users and devices.
  6. Incident Response – Establishing an incident response plan for organizational information systems that include adequate preparation, detection, analysis, containment, recovery, and user response activities to track, document, and report incidents to appropriate officials and authorities internal and external to the organization.
  7. Maintenance – Performing timely maintenance on organizational information systems.
  8. Media Protection – Protecting (i.e., physically control and securely store) information system media, including limiting its access to authorized users and sanitizing or destroying such media before disposal.
  9. Personnel Security – Screening individuals prior to authorizing their access to information systems and ensuring such systems remain secure upon the termination or transfer of individuals.
  10. Physical Protection – Limiting physical access to and protecting and monitoring the physical facility and support infrastructure for the information systems.
  11. Risk Assessment – Periodically assess the risk to organizational operations (including mission, function, image, or reputation), organizational assets, and individuals resulting from the operation of organizational information systems and the associated processing, storing, and transmission of CUI.
  12. Security Assessment – Periodically assess, monitor, and correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems.
  13. System and Communications Protection – Monitor, control, and protect organizational communications at the external and internal boundaries of the information system, and employ architectural designs, software development techniques, and system engineering principles that promote effective information security.
  14. System and Information Integrity – Identify, report, and correct information and information system flaws in a timely manner; protect the information system from malicious code at appropriate locations; and monitor information security alerts and advisories and take appropriate actions.

Each of these fourteen families has derived security requirements that provide additional detail of the security required to protect CUI. Some examples include separation of duties of individuals to reduce the risk of malevolent activity without collusion; employing the principle of least privilege (i.e., limiting a user’s access to the least amount of CUI to perform their tasks); encrypting mobile devices; configuring information systems to employ the principle of least functionality to perform essential capabilities; using multifactor authentication for local and network access to privileged accounts; testing incident response plans; and protecting the confidentiality of CUI at rest.

A copy of the Guide is available here. Government contractors should examine Special Publication 800-171 now and compare its requirements to their own information security practices and policies to prepare for NARA’s 2016 FAR clause proposal.

The author, Bill Wagner, JD, CPCU, CIPP/US, CIPP/G, is a member of the Sedona Conference Working Groups on Data Security and Privacy Liability, and Electronic Document Retention and Production. He also serves as a Steering Committee Member to DRI’s Government Enforcement and Corporate Compliance Committee.