If you work with a government agency including the Department of Defense, you have to meet requirements involving NIST 800-171. These standards relate to cybersecurity. NIST 800-171 protects controlled unclassified information (CUI) created or owned by the government federally or at the state level.
Later this year or in early 2022, the government is expected to release a CUI Rule in the Federal Acquisition Regulation (FAR). Under this rule, NIST SP 800-171 will apply to all Federal contracts involving CUI.
If you’re a contractor or subcontractor, you might handle CUI, including emails, blueprints or drawings, contracts, sales orders, or electric files.
If you’re completing a government project involving the handling of CUI, as a contractor or subcontractor you’re required to adhere to these standards.
The following are more specific things to know about compliance.
An Overview of NIST 800-171
The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency that’s responsible for the establishment of guidelines applying to federal agencies on a variety of topics which include cybersecurity. Founded in 1901, NIST is a government agency within the U.S. Department of Commerce. The organizational mission is to promote innovation and competitiveness by advancing science and technology to improve the quality of life and economic security.
NIST 800-171 goes along with NIST 800-53. NIST 800-53 dictates how contractors and subcontractors of federal agencies are required to manage Controlled Unclassified Information, designed explicitly for non-federal organizations and information systems.
Executive Order 13556, signed by President Obama in 2010, first introduced NIST SP 800-171. The EO directed Federal agencies to begin protecting CUI and established a centralized, unified policy for agencies to follow regarding data transparency and sharing.
Then, following Federal data breaches, in 2014, Congress passed further regulatory guidelines directed at cybersecurity.
What Does NIST 800-171 Do?
The goal of NIST 800-171 is to standardize the definition of CUI. CUI is private, sensitive data, but under federal law, it’s not classified. There are other laws for national security data such as SOX.
Every agency has to provide the details of the data considered CUI to the National Archives and Records Administration.
Again, this regulatory guideline applies to federal contractors and subcontractors. If you or a company you work with has a federal agency contract, you’re required to comply with the policy. Federal agencies have specific contractual requirements, but even if you don’t have clauses outlined in a contract, NIST 800-171 still applies.
According to a New York University study from 2017, around nine million people work for the Federal government, and 40% are private contractors who have to protect CUI. There’s an ongoing, constant threat of a data breach.
Federal information systems are regulated by NIST SP 800-53, but until NIST SP 800-171, there wasn’t a similar set of standardized protections for commercial contractors. Cyber attackers realized this vulnerability and began targeting sub-contractors and very small suppliers and manufacturers.
Small and medium-sized businesses (SMBs) are prime targets for attacks because they usually dedicate a much smaller amount of resources to data protection and cybersecurity.
NIST Cybersecurity Framework
Under the general NIST Cybersecurity Framework (CSF), five core activities need to be in place to manage and reduce threats related to cybersecurity. These include:
- Identify: Gain an organizational understanding of managing cybersecurity risks to data, assets, and systems.
- Protect: Create and then implement safeguards that are going to help with the delivery of critical infrastructure.
- Detect: Develop and then follow through with implementing activities necessary to identify a threat to cybersecurity or an event.
- Respond: Develop activities to take action if an event is detected.
- Recover: Develop and subsequently implement needed activities to remain resilient and restore capabilities impacted by a cybersecurity event.
It’s Not Optional
Because of the risks faced by CUI on a persistent basis, any government contractor who works with this information has to follow NIST SP 800-171 controls.
DoD contracts that might contain CUI have clauses mandating security compliance.
You don’t have to contract directly with DoD or handle CUI but you could still be required through Prime contractors to be compliant. There’s something called flow-down for compliance mandates, meaning whatever the Prime contractor adheres to is something that then applies to participants all the way down.
If you’re a contractor, sub-contractor, vendor, or supplier bidding to work on any federal or DoD contract with compliance requirements have to show they’re compliant. Misrepresenting your compliance is a violation of the False Claims Act, potentially leading to fines, loss of contracts and abilities to bid on future contracts, and even criminal charges.