Defense Federal Acquisition Regulation Supplement (DFARS) clause 225.204-7012 was established in 2015 to protect Controlled Unclassified Information (CUI).  CUI is information that is not classified, but still must be protected.  CUI is important sensitive information that it does not require a security clearance to view.

The National Institute of Standards and Technology (NIST) has established special publication 800-171 to provide guidance on how to protect unclassified data in the private sector.  DFARS mandates that organizations that store, process, or transmit information for federal or state agencies including the DOD comply with NIST SP800-171 by December 31, 2017.  That deadline is quickly approaching.

NIST Special Publication (SP) 800-171 is a subset of the larger document 800-53, so those who are compliant with 800-53 will be compliant with 800-171.  800-171 divided into fourteen categories as follows:

  1. Access Control
  2. Audit and Accountability
  3. Awareness and Training
  4. Configuration Management
  5. Identification and Authentication
  6. Incident Response
  7. Maintenance
  8. Media Protection
  9. Physical Protection
  10. Personnel Security
  11. Risk Assessment
  12. Security Assessment
  13. System and Communications Protection
  14. System and Information Integrity

Implementing these categories requires policies to provide direction, technologies to implement technical controls and automation, and training to ensure that users operate technology securely and protect data as they work with CUI.

This process can take some time, so it is important to start now if your company plans to do business with federal and state agencies.  A variety of technologies to automatically enforce policy, monitor systems, events, and traffic, analyze metrics and baselines, detect anomalies, screen malware, protect against data loss, and encrypt traffic, among other things.  Technology adoption can be streamlined through cloud or managed services.  There are some controls that overlap with different solutions, so it is important to choose solutions that provide an effective mix without significantly increasing managerial complexity.  NIST SP800-171 also provides some flexibility for specific requirements that may be met through other organizational controls, shown in the excerpt below.

Nonfederal organizations may not have the necessary organizational structure or resources to satisfy every CUI security requirement and may implement alternative, but equally effective, security measures to compensate for the inability to satisfy a particular requirement.

Proper planning can identify, not only the efficiencies in selection and implementation, but also areas where specific requirements are unnecessary.  Seek guidance from experienced professionals to avoid unnecessary complexity or redundancy.

To wrap it up, NIST 800-171 provides guidance on how to protect unclassified data in the private sector and DOD contractors, as well as their subcontractors, will need to adhere to these guidelines to be in compliance with DFARS and continue to do business with the DOD in 2018.