There are several helpful resources for contractors looking to comply with the National Institute of Standards and Technologies Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” To help contractors meet the requirements, NIST recently issued NIST Handbook 162, entitled “NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements.” The Handbook provides a step-by-step guide to assessing a manufacturer’s information systems against the security requirements in NIST SP 800-171, Revision 1.
The assessment procedures consist of an assessment objective and a set of potential assessment methods and assessment objects that be used to perform the assessment. Each assessment objective includes a determination statement related to a CUI security requirement that is the subject of the assessment and traced back to SP 800-171. The application of an assessment procedure to a security requirement produces assessment findings. These findings reflect or are used to determine if the security requirement has been satisfied.
“Assessment objects identify the specific items being assessed and can include specifications, mechanisms, activities, and individuals. Specifications are the document-based artifacts (e.g., policies, procedures, security plans, security requirements, functional specifications, architectural designs) associated with a system. Mechanisms are the specific hardware, software, or firmware safeguards employed within a system. Activities are the protection-related actions supporting a system that involve people (e.g., conducting system backup operations, exercising a contingency plan, and monitoring network traffic). Individuals or groups of individuals are people apply the specifications, mechanisms, or activities described above.”
The assessment methods define the nature of the assessor’s actions and include examine, interview, and test. The assessor examines one or more assessment objects. Any security requirements that are deemed non-applicable are noted in the system security plan. The CUI security requirements are then deemed either satisfied or other than satisfied based on the findings and evidence produced during the assessment. Contractors will be able to claim compliance with the security requirements specified in SP 800-171 using the procedures in SP 800-171A.
So how does it work? Each security requirement is assessed by examine, interview, and test. For example, security requirement 3.1.4(a) involves separation of duties. Potential assessment methods and objects include examining policies and procedures, interviewing personnel, and testing to make sure mechanisms implementing the separation of duties exist. For assessment findings other than satisfied, contractors may choose to defined subcategories of findings to indicate the severity or criticality of the weakness or deficiencies discovered and the potential adverse effects on the contractor. “Defining such subcategories can help to establish priorities for needed risk mitigation actions. Organizations may also choose to employ a more granular approach to findings by introducing a partially satisfied category for assessment.”
Here are some additional links:
- DFARS 252-204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, available here;
- NIST SP 800-171, Revision 1 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, available here;
- Draft NIST SP 800-171A – Assessing Security Requirements for Controlled Unclassified Information, available here;
- NIST’s Manufacturing Extension Partnership’s Handbook 162, NIST MEP Cybersecurity Self-Assessment Handbook for Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements, available here;
- DoD’s Frequently Asked Questions (FAQs) dated Jan. 27, 2017 – Implementation of DFARS Case 2013-D018, Network Penetration Reporting and Contracting for Cloud Services, available here;
- DoD’s Procurement Toolbox Cybersecurity Resources, available here;
- The National Archives Controlled Unclassified Information Registry – Categories and Subcategories, available here;
- Taft’s Checklists and Other Blog Posts on the DFARS Safeguarding Regulations, available here;
- Taft’s webinar on the Defense Department Cybersecurity Rules, available here.
If you have a particular question about the DFARS Safeguarding Covered Defense Information and Cyber Incident Reporting regulation or NIST SP 800-171, let us know and we might use your question for an upcoming blog post.