This is the second in a series of blog posts on the Interim Rule regarding cybersecurity issued by the Department of Defense that goes into effect on November 30, 2020 (see prior blog). The Interim Rule relies upon the National Institute of Standards and Technology (“NIST”) 800-171 for compliance with cybersecurity. This blog provides an overview of NIST 800-171. NIST has a webpage that provides links to all of the publications discussed below.
The original NIST SP 800-171 was issued on December 2016, Rev. 1 was issued June 6, 2018 and Rev 2 was issued Feb 21, 2020. Additional documentation that is on the NIST website for Rev 2 include a “CUI Plan of Action template (word),” a “CUI SP template (word)” and a “Mapping: Cybersecurity Framework v.1.0 to SP 800-171 Rev. 2 (xls)” to help contractors become cybersecurity compliant. There is also a SP 800-171A for “Assessing Security Requirements for Controlled Unclassified Information” and a SP 800-171B (draft) for “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets.” SP 800-171B (draft) has been superseded by SP 800-172 (Draft) “Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft)” Currently the SP 800-171 Rev. 2 is the primary compliance document and the SP 800-172, once it is issued, will be applicable for Controlled Unclassified Information (CUI) “associated with critical programs or high value assets in nonfederal systems and organizations from the advanced persistent threat (APT). The APT is an adversary that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using both cyber and physical attack vectors.”
The purpose of SP 800-171 is to provide federal agencies with the recommended security requirements for protecting CUI when the CUI is resident in a nonfederal system and organization. The requirements apply only to “components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.” Federal agencies using federal systems to process, store, or transmit CUI, at a minimum, must comply with two Federal Information Processing Standards (“FIPS”) publications 199 and 200 and two Special Publications (“SP”) 800-53 and 800-60 Vol. 1 and Vol. 2. Thus, SP 800-171 carries these requirements forward to contractors who will be handling CUI. Primarily FIPS 199 establishes the standards for the three levels of potential impact, i.e., what is the impact on the government if the CUI is released and not protected. These three levels are low, moderate, and high. The SP 800-171 is not particularly concerned with low impact. Instead, it applies to CUI that is at least moderate.
The security controls are either basic or derived and are described in FIPS 200. There are fourteen families: Access Control, Media Protection, Awareness and Training, Personnel Security, Audit and Accountability, Physical Protection, Configuration Management, Risk Assessment, Identification and Authentication, Security Assessment, Incident Response, System and Communications Protection, Maintenance, and System and Information Integrity. Each of these families have sub elements, which are described and discussed in Chapter 3 of SP 800-171. For example, the first family has 2 basic requirements (ex. 3.1.1 “Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)” and 20 derived requirements (ex. 3.1.8 “Limit unsuccessful logon attempts”). In total there are 110 requirements/controls across the 14 families.
Finally, SP 800-171 Appendix D provides the tables that map the basic and derived security requirements to the security controls. For example, 3.1.1 and 3.1.2 are derived from NIST SP 800-53 AC-2, AC-3, and AC -17 plus various ISO/IEC 27001 Security Controls. AC-2 relies upon A.9.2.1 – A.9.2.3, A.9.2.5 and A.9.2.6. All of this information is then put into a System Security Plan (“SSP”), which describes how an organization complies with the particular requirement and control and also provides an assessment of the organization’s compliance with the particular requirement and control. The template “CUI SP template (word)”, provided as a supplemental document, lists each requirement/control and then provides one of three responses “implemented,” “planned to be implemented” and “not applicable.” For those items that are “planned to be implemented,” they are tracked via a document “Plan of Action and Milestones” (“POAM” or “POA&M”) (a template, “CUI Plan of Action template (word),” is also provided on the SP 800-171 Rev. 2 page).
As you can see, compliance with the DoD cybersecurity requirements is complicated. And while, as an attorney, I cannot help you with determining whether you are compliant with the standards, I can advise on whether or not you need to be compliant based on your contracts. If you have been working on contracts that included the DFARS clause 252.204-7012, I recommend that you do the assessment under the attorney-client privilege, while you determine whether you have made any false statements to the government regarding your compliance.
For more information on this issue, contact MWL Counsel Johana “Jody” Reed.