Information securityNIST offers help for contractors secure unclassified government information

Published 5 December 2017

It is crunch time for government contractors. They only have until 31 December 2017 to demonstrate they are providing appropriate cybersecurity for a class of sensitive data called Controlled Unclassified Information (CUI). Otherwise, they risk losing their contracts. For organizations that may be struggling to meet the deadline, the National Institute of Standards and Technology (NIST) has a new publication intended to help.

It is crunch time for government contractors. They only have until 31 December 2017 to demonstrate they are providing appropriate cybersecurity for a class of sensitive data called Controlled Unclassified Information (CUI). Otherwise, they risk losing their contracts. NIST says that for organizations that may be struggling to meet the deadline, the National Institute of Standards and Technology (NIST) has a new publication intended to help.

NIST’s Draft Special Publication (SP) 800-171A, Assessing Security Requirements for Controlled Unclassified Information, is a guideline for any organization seeking to comply with the CUI regulation governing the safe handling of information that is important to the U.S. government. CUI is a diverse classification that includes information involving privacy, proprietary business interests and law enforcement investigations.

The CUI security requirements are described in a related publication, NIST SP 800-171. In 2016, the Department of Defense (DOD) stipulated that contractors comply with the requirements by the end of calendar year 2017. Failure to comply would preclude an organization from contracting with the DOD.

“Because contractors do business with other organizations, the impact of this requirement will ripple across the private sector,” said NIST’s Ron Ross, one of the publication’s authors. “It will affect other firms that work with contractors, as well as colleges and universities that work on related research grants.”

The guideline provides organizations with a starting point and framework for developing specific procedures to assess NIST SP 800-171’s CUI security requirements. System, information security and privacy professionals can use it to produce evidence they need to determine if they are correctly implementing their security safeguards.

As each organization will have different needs, the guideline is arranged so that users can find the sections relevant to their own circumstances. Its central chapter provides a catalog of assessment procedures for the 14 families of CUI security requirements in NIST SP 800-171, including assessment objectives and potential assessment methods.

“The assessment guideline provides our customers with complete flexibility to evaluate the safeguards implemented to meet the CUI security requirements in NIST SP 800-171,” Ross said. “The assessments can be conducted with varying degrees of rigor, based on the needs of the customer.”

The guideline also provides additional assessment-related information, including general references, a description of the assessment methods used in assessment procedures, and supplemental guidance for implementing the safeguards that are necessary to satisfy the requirements.

NIST notes that for added clarity, NIST also has included a new errata section in SP 800-171 (pages ix-xi in this PDF), outlining a number of minor editorial and corrective changes.

Draft SP 800-171A is available for download from the NIST website.