The National Institute of Standards and Technology has released a draft Special Publication of NIST SP 800-171 Revision 1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. This publication is the standard required for compliance with Defense Federal Acquisition Regulation 252.204-7012. You can read a summary of changes on the NIST download page, but what do these updates really mean for defense contractors?
First, the revised version expands and clarifies that security requirements apply only to components processing, storing, or transmitting CUI. This could be good news, but in reality it may be difficult to segment out only the devices in scope for CUI from those that are not.
Second, the publication removes references to “proposed” 32 CFR Part 2002, this will be finalized in 2016. We’ve been waiting for this – there is a specific control that cannot be met until this document is final. Also of note, with this publication there will be only one level of safeguarding for CUI, requiring moderate impact for confidentiality requirements. This is important as requirements derived from NIST 800-53 have specific differences when a system is low, moderate, or high impact. FIPS 199 provides more information on this.
Third, many of our clients have been confused by clause 3.13.12, this has been clarified to exclude video teleconferencing systems, good news for many.
Finally, and most importantly, the revisions provide more specific guidance for HOW defense contractors will show compliance. For example, a System Security Plan and Plan of Action and Milestones is now required, Sera-Brynn’s DFARS compliance service includes both of these documents. This was implemented by adding a new control, and new mapping back to 800-53.
Updated references and definitions throughout the document now provide additional guidance on classifying systems, and correctly implementing and interpreting these controls.
Sera-Brynn is the expert in DFARS compliance. We can help with classifying systems, tailoring controls, and most importantly improving the overall security of your organization. Call us today at 757-243-1257 to learn how we can help you.