On June 19, 2015, the National Institute of Standards and Technology (“NIST”) published the final version of guidance for federal agencies to ensure sensitive information remains confidential when stored outside of federal systems. The guidelines, Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, apply to nonfederal information systems and organizations that process, store, or transmit federal controlled unclassified information, or “CUI,” and match the guidelines published for public comment last fall. The new guidance is step two in a three-part plan with the National Archives and Records Administration (“NARA”), discussed in last month’s blog, to ensure the confidentiality of sensitive federal information no matter where it is stored. As data breaches continue to make near-daily news, federal contractors not using the “recommendations” laid out in SP 800-171 would be wise to take another look, as they contain, more than ever, the Government’s express expectations of how it wants its information protected.
Built upon existing computer security requirements for federal information systems, Federal Information Processing Standard (“FIPS”) 200 and the Security and Privacy Controls for Federal Information Systems and Organizations (NIST SP 800-53), the final guidelines are designed to assist federal agencies in the negotiation of information system contracts and agreements where CUI will be stored and processed outside of the Federal Government, including federal contractors; state, local and tribal governments; as well as colleges and universities.
As reflected in its past iteration, the final NIST guidance identifies 14 groupings of security requirements for protecting the confidentiality of CUI on nonfederal systems, including:
- ACCESS CONTROL: Limit information system access to authorized users.
- AWARENESS AND TRAINING: Ensure that managers and users of organizational information systems are made aware of the security risks and ensure that personnel are adequately trained.
- AUDIT AND ACCOUNTABILITY: Create information system audit records to enable the reporting of unlawful, unauthorized, or inappropriate information system activity; and ensure that the actions of individual users can be traced to be held accountable for their actions.
- CONFIGURATION MANAGEMENT: Establish baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation); and establish security configuration settings for technology products.
- IDENTIFICATION AND AUTHENTICATION: Identify information system users and authenticate (or verify) the identities of those users as a prerequisite to allowing access.
- INCIDENT RESPONSE: Establish an operational incident-handling capability for organizational information systems; and track, document, and report incidents to appropriate authorities.
- MAINTENANCE: Perform periodic maintenance on organizational information systems; and provide effective controls on the tools and personnel used to conduct maintenance.
- MEDIA PROTECTION: Protect information system media containing CUI, both paper and digital; and limit access to CUI on information system media to authorized users.
- PHYSICAL PROTECTION: Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
- PERSONNEL SECURITY: Screen individuals prior to authorizing access to information systems containing CUI.
- RISK ASSESSMENT: Periodically assess the risk to organizational operations, assets, and individuals.
- SECURITY ASSESSMENT: Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application; develop and implement plans of action designed to correct deficiencies.
- SYSTEM AND COMMUNICATIONS PROTECTION: Monitor, control, and protect organizational communications.
- SYSTEM AND INFORMATION INTEGRITY: Identify, report, and correct information and information system flaws in a timely manner; and provide protection from malicious code.
None of the requirements is expected to be “one-size-fits-all.” Instead, each recommendation contains a detailed checklist of flexible requirements that are intended to overlap with contractors’ existing security processes. To facilitate this process, the guidance’s Appendix D includes methods by which organizations that have adopted the Federal Government’s Framework for Improving Critical Infrastructure Cybersecurity may map the finalized CUI security requirements to other known security standards and controls, such as those in SP 800-53 and ISO/IEC 27001.
Although following the NIST guidance is not yet mandated, per se, it should be remembered that NARA’s proposed FAR rule, once issued, is expected to require agencies to mandate the SP 800-171 guidance. Contractors should not, therefore, be surprised to find the guidance taking a pivotal role in present contract negotiations where CUI is in play – the writing is, effectively, on the wall. And, if an agency does not mandate the use of guidelines, a savvy contractor living in a world of near-weekly data breaches would be wise to adopt NIST’s “recommendations” as baseline best practices in order to survive regulatory scrutiny in the case of a breach.