National Institute of Standards and Technology (NIST)

Legislation directing the National Institute of Standards and technology (“NIST”) to create standards and guidelines for securing Internet of Things (“IoT”) devices used by Federal agencies and their contractors recently passed the Senate and is heading to the President’s desk. We have been following this legislation closely for the past two years, here and here.  The bill passed in the Senate without amendment by unanimous consent.
Continue Reading IoT Legislation Passes Congress

At long last, the Department of Defense (“DoD”) has provided its interim rule, published in the Federal Register on September 29, 2020, amending the Defense Federal Acquisition Regulation Supplement (“DFARS”) to set forth requirements for the Cybersecurity Maturity Model Certification (“CMMC”) program, as well as new requirements for a “NIST SP 800-171 DoD Assessment Methodology.”  The interim rule is effective November 30, 2020, and comments to the interim rule should be submitted by November 30 as well.  Continue reading for our breakdown of key provisions.
Continue Reading DoD’s Long Awaited Rule on CMMC – Plus a New Cybersecurity Assessment Methodology for Contractors to Start Right Now

Congress recently advanced legislation that directs the National Institute of Standards and Technology (NIST) to create standards and guidelines for securing Internet of Things (“IoT”) devices used by Federal agencies and their contractors. We previously reported on this legislation in April of 2019 when it was introduced in the House (H.R. 1668) and the Senate (S. 734). On September 14, 2020, the House of Representatives passed the legislation on a voice vote.
Continue Reading IoT Legislation Advances in Congress

The Government remains intensely focused on how best to protect its Controlled Unclassified Information (CUI) once it is released to contractors. In a shift from its initial approach of “we will take the contractor’s word for it,” the Department of Defense (DoD) announced in June 2019 it is in the process of developing a new cybersecurity certification program for its contractors, which will involve using third party auditors to validate contractor compliance with required security controls. In addition, on June 19, 2019, the National Institute of Standards and Technology (NIST) released two new highly-anticipated draft special publications – NIST SP 800-171, Rev 2 and NIST SP 800-171B – with a tight turnaround time for comments by July 19, 2019.
Continue Reading Cyber Update: DoD Contractor Cybersecurity Certification and 33 New Enhanced Controls to Combat the Advanced Persistent Threat

In 2019, cybersecurity has become top-of-mind for most federal government contractors and agencies that share sensitive information.  In addition to updated Department of Defense guidance and procedures for evaluating contractors’ compliance with cybersecurity requirements, as well as an increase in Department of Defense cybersecurity audits, the Federal Acquisition Regulation (FAR) council also has promised a new FAR clause that will require compliance with NIST SP 800-171 security controls for civilian agency contractors that receive or create Controlled Unclassified Information (CUI).
Continue Reading “Internet of Things” Guidance to be Added to Cybersecurity Requirements for Agencies and Federal Contractors

Pursuant to DFARS 252.204-7012, DoD contractors are to implement the security requirements in NIST Special Publication (SP) 800-171 by December 31, 2017. NIST SP 800-171 includes security requirements for protecting Controlled Unclassified Information (CUI) in nonfederal systems and is expected soon to be required under civilian agency contracts through a forthcoming FAR case. On November 28, 2017, NIST released its highly-anticipated draft publication, NIST SP 800-171A on “Assessing Security Requirements for Controlled Unclassified Information.” Like NIST SP 800-53A, which provides assessment procedures related to the requirements in NIST SP 800-53 (containing security requirements for federal systems), the draft publication will “help organizations develop assessment plans and conduct efficient, effective, and cost-effective assessments of the security requirements in Special Publication 800-171.” The draft special publication includes assessment procedures relating to each of the security requirements in the fourteen families included in NIST SP 800-171 and describes methods by which companies can “generate evidence to support the assertion that the security requirements have been satisfied.” Thus, it appears an organization that conducts the suggested assessments in the draft publication and generates supporting documentation can present this to its agency customer as proof of compliance with NIST SP 800-171 (of course, this is subject to any agency-specific clauses or demands relating to safeguarding CUI).
Continue Reading NIST Releases Highly-Anticipated Draft Special Publication on Assessing the Security Requirements in NIST SP 800-171 for Controlled Unclassified Information (CUI)

On June 19, 2015, the National Institute of Standards and Technology (“NIST”) published the final version of guidance for federal agencies to ensure sensitive information remains confidential when stored outside of federal systems.  The guidelines, Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, apply to nonfederal information systems and organizations that process, store, or transmit federal controlled unclassified information, or “CUI,” and match the guidelines published for public comment last fall.  The new guidance is step two in a three-part plan with the National Archives and Records Administration (“NARA”), discussed in last month’s blog, to ensure the confidentiality of sensitive federal information no matter where it is stored.  As data breaches continue to make near-daily news, federal contractors not using the “recommendations” laid out in SP 800-171 would be wise to take another look, as they contain, more than ever, the Government’s express expectations of how it wants its information protected.
Continue Reading ALERT: NIST Issues Final Guidance on Federal Contractor Cybersecurity Standards for Controlled Unclassified Information

Government contractors should take note of a proposed new rule that could impose significant new data storage obligations when finalized.  The Federal Government is taking another baby-step towards cybersecurity regulation with a proposed rule intended to standardize protocols relating to designating and safeguarding unclassified information that is to be withheld from public disclosure (also known as “controlled unclassified information” (“CUI”)).  See 80 Fed. Reg. 26501 (proposing amendments to 32 CFR Part 2002).  On May 8, 2015, the National Archives and Records Administration (“NARA”) published a proposed new rule that goes a long way in creating a standardized system intended to replace the litany of improvised CUI control markings that have been used by various Federal agencies and, unintentionally, hindered inter-governmental information sharing for decades.  The effort, however, is more than a simple housekeeping exercise, the re-designation of CUI will also bring changes to the manner in which contractor-generated information residing on contractor-owned systems is stored and secured.
Continue Reading Another Prologue to Cybersecurity Regulations: Controlled Unclassified Information (“CUI”) – What Contractors Need to Know and Why They Should Care

The federal government sector has been abuzz lately with whispers and shouts about pending cybersecurity regulations, frameworks, and requirements. This attention is not particularly surprising, especially given the recent high-profile data breaches, the litigation threats surrounding those breaches, the recent identification of the encryption-disabling, consumer data threatening “Heartbleed SSL” OpenSSL vulnerability, and recent reports that the September 2013 cyber-incursion into the U.S. Navy’s Intranet network could have been prevented with the proper security contracting mechanism.  Notably, however, while these stories – and the resultant damages that these stories’ topics leave in their wake – remain in the headlines, Congress has yet to act (and according to Senator Evan Bayh (D-IN), will likely not be acting anytime soon). By contrast, the Executive branch, and especially the FTC, is in a full-on sprint and tackling cybersecurity wherever it can be found.
Continue Reading The Cybersecurity Race: Executive Branch Takes The Lead While Congress Watches From The Bleachers