NON-FEDERAL SYSTEMS

The National Institute of Standards and Technology (NIST) is a government agency that’s part of the U.S. Department of Commerce. Its mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.

Established in 1901, NIST employs over 2,000 scientists and engineers. It has created thousands of standards and special publications, including NIST SP 800-171, which defines how to protect and distribute Controlled Unclassified Information (CUI) created or possessed by non-federal entities. 

Anyone who processes, stores, or transmits CUI for the Department of Defense (DoD), General Services Administration (GSA), NASA, and other federal and state agencies must meet the standards outlined in 800-171. That includes contract agencies.

CUI is at the core of NIST 800-171. It’s the reason the standards were created. Controlled Unclassified Information (CUI) is unclassified information and not strictly regulated by the federal government, but it is sensitive and needs safeguarding. 

Numerous categories of CUI include:

• Electronic files
• Emails
• Email attachments
• Proprietary information
• Blueprints
• Paper files

Although federal information systems were regulated by NIST 800-53 until 800-171, no such standards existed for commercial contractors that support the DoD and other government agencies. Cyber attackers targeted these smaller businesses, which typically allocate a smaller budget (if any) to security, making them vulnerable to breaches.

With NIST 800-171, the U.S. government made it difficult for hackers to access sensitive information that federal contractors handle by establishing standards that define how to safeguard CUI.

NIST SP 800-171 was formed through a combination of FIPS 200 and NIST SP 800-53. It contains 110 security controls across the following 14 categories and covers both administrative and technical categories:  

3.1 Access Control

3.2 Awareness and Training

3.3 Audit and Accountability

3.4 Configuration Management

3.5 Identification and Authentication

3.6 Incident Response

3.7 Maintenance

3.8 Media Protection

3.9 Personnel Security

3.10 Physical Protection

3.11 Risk Assessment

3.12 Security Assessment

3.13 System and Communications Protection

3.14 System and Information Integrity

Many government-specific security controls addressed within each 800-171 category can be confusing. That is why CMMC has created a helpful guide that uses simple and direct language to spell out what is required within each control.

Several controls typically require third-party software to achieve compliance. However, it’s important to note that not all categories are IT-related—some address physical security, personnel, and awareness and training. 

Due to the sensitivity of the information at risk and the persistent threat of a breach, NIST 800-171 was created as a requirement for all government contractors. As of February 2018, around 8% of private contractors reported a data breach at least once since 2016. In many of those cases, there were multiple breaches. That means personal information for nearly 300,000 employees was compromised. 

DFARS 252.204-7012 (b)(2)(ii)(a) requires contractors to implement NIST SP 800-171, Protecting CUI in Nonfederal Systems and Organizations, no later than December 31, 2017. 

In response to the failure of self-assessment, the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) announced the Cybersecurity Maturity Model Certification (CMMC), a new certification model designed to verify that DoD contractors have sufficient controls to safeguard sensitive data.

Though it would seem that CMMC will be replacing NIST 800-171, it’s important to note that the two are not interchangeable. While both NIST 800-171 and CMMC primarily focus on CUI, NIST 800-171 also addresses 63 Non-Federal Organization (NFO) controls. So, CMMC certification will not ensure NIST compliance.

Noncompliance will result in failure to obtain a contract, loss of contract, and removal from the DoD Approved Vendor list.