The ongoing threat of cyberattacks and a litany of high-profile data breaches underscores the importance of improved security for any information systems dealing with sensitive government information. That’s particularly true of private contractors who work with the DoD and other government agencies but may not be adopting security best practices.
In response, NIST SP 800-171 was developed to create a set of standards to ensure cyber hygiene and the safeguarding of Controlled Unclassified Information (CUI).
The National Institute of Standards and Technology (NIST) is a government agency that’s part of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.
Established in 1901, NIST employs over 2,000 scientists and engineers. It has created thousands of standards and special publications, including NIST SP 800-171, which defines how to protect and distribute Controlled Unclassified Information (CUI) created or possessed by non-federal entities.
Anyone who processes, stores, or transmits CUI for the Department of Defense (DoD), General Services Administration (GSA), NASA, and other federal and state agencies must meet the standards outlined in 800-171. That includes contract agencies.
CUI is at the core of NIST 800-171. It’s the reason the standards were created. Controlled Unclassified Information (CUI) is information that’s unclassified and not strictly regulated by the federal government but is sensitive and needs safeguarding.
There are numerous categories of CUI that include:
So what kind of information would be considered sensitive but not be classified? An example might be the design for a widget that was later sold to the military for use in an aircraft. While seemingly insignificant compared to the specifications for a weapons system, it’s not something you’d want falling into the wrong hands, and it should be protected.
According to a 2015 New York University study, approximately nine million people work for the federal government, 40% of whom are private contractors responsible for safeguarding CUI. Like nearly every business, they are under the constant threat of a data breach.
From massive data breaches at Marriott in 2018 and Equifax in 2017 that compromised hundreds of millions of accounts to the 2013 Yahoo! breach that involved all of its three billion users, the scale and severity of cyberattacks has escalated over the past decade. That includes notable breaches involving DoD contractors.
Hackers compromised a DoD contractor responsible for employee travel records. As many as 30,000 employees were potentially affected, with personal information compromised including credit card data.
Although federal information systems were regulated by NIST 800-53, until 800-171 no such standards existed for commercial contractors that support the DoD and other government agencies. Cyber attackers were targeting these smaller businesses, which typically allocate a smaller budget (if any) to security, making them vulnerable to breaches.
With NIST 800-171, the U.S. government made it difficult for hackers to access sensitive information that federal contractors handle by establishing standards that define how to safeguard CUI.
The NIST Cybersecurity Framework (of which SP 800-171 is part of) covers five elements:
Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
NIST SP 800-171 was formed through a combination of FIPS 200 and NIST SP 800-53. It contains 110 security controls across the following 14 categories, and covers both administrative and technical categories:
The following chart shows a breakdown of the NIST 800-171 categories and the type of response they fall into.
Like all things government, the specific security controls addressed within each 800-171 category can be confusing. That’s why we’ve created a helpful guide that uses simple and direct language to clearly spell out what is required within each control.
Within the controls, several typically require third-party software to achieve compliance. However, it’s important to note that not all of the categories are IT related – some address physical security, personnel, and awareness and training – so be wary of anyone selling a 100% software-based NIST compliance package.
Due to the sensitivity of the information at risk, and the persistent threat of a breach, NIST 800-171 was crafted as a requirement for all government contractors to adopt.
DFARS 252.204-7012 (b)(2)(ii)(a) requires that contractors “…implement NIST SP 800-171, Protecting CUI in Nonfederal Systems and Organizations, as soon as practical, but not later than December 31, 2017.”
Furthermore, verbiage was added to DoD contracts stating that by submitting a response to the RFP, contractors certify that they are compliant with NIST 800-171 – and noncompliance could result in failure to obtain the contract or loss of a contract, as well as removal from the DoD Approved Vendor list.
But while NIST 800-171 was drafted as a requirement, government contractors only had to self-attest that they were in compliance with the standards or were actively working toward meeting them.
Since the NIST SP 800-171 guidelines were released, a majority of private contractors have ignored the NIST guidelines. Although they were required to meet the standards, the lack of a third-party auditing protocol meant contractors could state they were compliant and win a contract without following through on the requirements.
For that reason, the DoD announced in 2019 that all contractors had 18 months to become compliant. At the end of that window, every private contractor working with the DoD would be subject to audit. Those found to be noncompliant not only risk losing current contracts but also will be unable to secure any future contracts.
Why the sudden change? It’s actually not that sudden. The original deadline to become NIST compliant was in December 2017, but no one took it seriously, including the DoD. Since then, hundreds of smaller data breaches have occurred within the private contractor community.
around 8% of private contractors reported a data breach at least one time since 2016. In many of those cases, there were multiple breaches. That means personal information for nearly 300,000 employees was compromised.
Even more concerning is the possibility that bad actors accessed sensitive CUI. In fact, there are reports that adversaries of the United States have developed military equipment from stolen design data.
In response to the failure of self-assessment, the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) announced the Cybersecurity Maturity Model Certification (CMMC), a new certification model designed to verify that DoD contractors have sufficient controls to safeguard sensitive data.
Built in part from NIST 800-171 and other cybersecurity frameworks, the CMMC is set to take effect in January 2021. At that time, any organization intending to do business with the DoD will be subject to a mandatory audit to obtain CMMC certification before a contract is awarded.
Though it would ostensibly seem that CMMC will be replacing NIST 800-171, it’s important to note that the two are not interchangeable. While both NIST 800-171 and CMMC primarily focus on CUI, NIST 800-171 also addresses 63 Non-Federal Organization (NFO) controls. So CMMC certification will not ensure NIST compliance.
Furthermore, although CMMC is moving quickly, it could take a few years for it to be fully implemented. During that time, and until all of the details pertaining to CMMC become clear, it will be important to demonstrate compliance with 800-171.
Becoming NIST compliant is an ongoing process. You must continuously assess, design, deploy, and manage your systems. You need to:
However, you can create two essential documents – a System Security Plan (SSP) and Plan of Action and Milestones (POA&M) – to satisfy separate NIST controls:
Start by creating your SSP in a simple Excel document that outlines each control. Then go through each one and answer how you’ve implemented the control and whether it satisfies the requirement. If you currently do not satisfy the control, it goes into your Plan of Actions and Milestones (POA&M).
A POA&M is a key document that describes the current status of any vulnerabilities and the actions to be taken to correct them. It facilitates a disciplined and structured approach to tracking risk mitigation activities. The POA&M should include findings from regular ongoing monitoring as well as periodic security assessments, such as the annual assessment.
What should you do if there's a potential compliance breach?
Contact the Department of Defense and begin a security incident report at https://dibnet.dod.mil/portal/intranet.Identify any information that may have been lost or compromised as well as any computers, data, or accounts that may have been affected.
A professional assessment can be an effective tool for achieving NIST 800-171 compliance and identifying any gaps that need to be addressed. A thorough assessment evaluates your current security state, shows where you successfully meet criteria, and highlights where changes need to be made.
In preparation for an assessment, it’s important to have senior management involved and ready to work together. Preparation should include:
Because contractors had the ability to self-verify for NIST 800-171, it led many to believe that they could navigate the entire compliance process alone. However, due to the sensitivity of the information involved and the seriousness of a breach, it’s wise to work alongside a partner with expertise in NIST 800-171 compliance.
Achieving (and maintaining) NIST compliance is an exhaustive and ongoing process. An expert will be able to guide you through both the implementation of the standards and continued compliance.
The risk and repercussions associated with a cybersecurity attack are too severe to tackle NIST or CMMC compliance alone. And with authorized audits becoming a mandatory part of certification and a prerequisite for being awarded a contract, any gap or lapse could result in lost revenue.
For the benefit of your business, and the country, it’s best to consult with an expert.