On December 30, 2015, the U.S. Department of Defense (DOD) published a three-page interim rule to the Defense Federal Acquisition Regulation Supplement (DFARS) that gives government contractors a deadline of December 31, 2017 to implement the requirements of the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171.
These requirements protect the confidentiality of Controlled Unclassified Information (CUI) in non-federal systems and organizations. If you are a government contractor, failure to meet these requirements has severe consequences including the potential loss of your current contracts.
NIST 800-171 Implementation Challenges
Often the hardest challenge is determining whether an information system is processing Covered Defense Information (CDI) and is therefore within the scope of Defense Acquisition Regulations System (DFARS) 252.204-7012 and must meet NIST 800-171. For information that is marked in the contract, this is an easy determination. But, the DFARS clause also includes CUI that is “collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.” This broadens the scope of information that is created or received by the organization, but not marked. For organizations with multiple information systems, determining which systems process CDI may not be obvious. Furthermore, many organizations aren’t sure whether their federal data and records are classified as CUI, or whether the right safeguards in place to protect that CUI.
Establish Security Baseline
First, we will help you identify any federal information in your custody that falls into one of the National Archive’s 22 categories of CUI. We'll review and document your existing security system architecture to identify the system elements that process CUI-related data. We'll also review internal security plans and procedures to gain an understanding of documented protocols as well as employee cyber-related work habits (both good and bad).
Next, we'll assist with security controls selection. NIST SP 800-171 specifies 110 security controls organized in 14 families to assure best practices in protecting CUI. Based upon review of your security system baseline, Celeris experts will identify the controls you need to comply with, supplemented by best-practice configuration requirements for the hardware, software, and networks involved. We'll support implementation of these controls as required.
Next, we'll assess your current state of compliance with the identified security controls. The assessment will include compliance and vulnerability testing of technical controls and evaluation of security policies, procedures, and administrative controls through interviews, reviews, and inspections. We'll also document how your security architecture properly isolates CUI into its own security domain and make recommendations where the baseline security architecture needs modification.
We'll help you address anything that needs remediation. After identifying any vulnerabilities or non-compliant controls, we’ll assess the residual risk of the system and recommend steps for remediation or mitigation documented in a comprehensive Plan of Action and Milestones (POA&M).