Have you updated your cybersecurity compliance policies recently? If you are a government contractor and have not, you may be out of compliance. On May 14, 2024, the National Institute of Standards and Technology ("NIST") released the latest version of Special Publication ("SP") 800-171—revision 3—along with an update to the companion publication, which became the standard for solicitations since then.
NIST SP 800-171—A General Overview
If you have heard of NIST SP 800-171, you may groan at the very mention of it. If you have not heard of it, you likely will groan when you open it,1 or its companion publication.2
Nevertheless, SP 800-171 is an important part of government contracting. The publication provides requirements for protecting the confidentiality of Controlled Unclassified Information ("CUI") that government contractors receive or generate during contract performance. The companion publication, 800-171A, helps government contractors implement (and assess their implementation of) 800-171.
The U.S. Government considers keeping CUI protected "of paramount importance" and necessary for the Government to conduct essential missions and functions successfully.3 Because the Government finds it of paramount import, the contractor must likewise take the protection of CUI seriously if it wants to obtain and keep government contracts.
Who Does NIST SP 800-171 Apply To?
The update applies directly to any contractors (or subcontractors) whose contracts contain DFARS clause 252.204-7012: "[T]he covered contractor information system shall be subject to the security requirements in (NIST SP 800-171) in effect at the time the solicitation is issued or as authorized by the Contracting Officer." DFARS 252.204-7012(b)(2)(i) (emphasis added).
Thus, if you are a government contractor bidding on a solicitation or have won an award since May 14, 2024, containing DFARS 252.204-7012, you already need to comply with the new revision of NIST SP 800-171.
Even if a company is not required to follow SP 800-171, the NIST standard is quickly becoming the industry standard, and Government entities are increasingly implementing the NIST framework. For example, it is likely that compliance with SP 800-171r3 will become a part of the Cybersecurity Maturity Model Certification (CMMC) 2.0 program.4
Further, the risk—and costs—of cyberattacks increase with each year. In 2023, the global average cost of a data breach was $4.45 million, representing a 15% increase over three years.5 Companies can use SP 800-171r3 to mitigate those risks.
A NIST SP 800-171r3 and NIST SP 800-171Ar3 Checklist
Following is a compliance checklist based on the NIST SP 800-171r3:6
System and Information:
- Define types of system accounts and authorizations (3.01.01) and separation of duties (3.01.04);
- Record and audit necessary event types (3.03.01 –
3.03.07);
- Protect the audit information (3.03.08);
- Establish baseline configuration settings, and when deviations
are allowed (3.04.01), including, but not limited to:
- Device locks (3.01.10);
- Automatic session termination (3.01.11);
- Automatic privacy and security notices (3.01.09); and
- Limitations of logon attempts (3.01.08);
- Configure the system to operate in the most restrictive way possible (3.01.01, 3.01.05 – 3.01.07, 3.04.02, 3.04.06);
- Identify software programs authorized to execute on the system (3.04.08, 3.04.10) and where information is stored and processed (3.04.11);
- Identify where information is stored and processed (3.04.11), who has access to the system, system control changes (3.04.03, 3.04.04, 3.04.05), and what devices can access the system (3.05.02);
- Implement policies for access to privileged and non-privileged accounts (3.05.03, 3.05.04), to manage and protect passwords (3.05.07);
- Use authenticators (3.05.01, 3.05.05, 3.05.11, 3.05.12);
- Prevent unauthorized and unintended information transfer via shared system resources (3.13.04);
- Deny network communications by default; accept only by exception (3.13.06);
- Use cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission and storage (3.13.08) and to protect confidentiality of CUI (3.08.09, 3.13.11);
- Terminate network connections at the end of a session (3.13.09); and
- Establish a system of receiving and disseminating external security alerts, for example, from the CISA, the NSA, or the FBI (3.14.03).
Monitoring & Detection:
- Monitor and approve intersystem exchange of CUI (3.12.05), as well as external (and key internal) managed interfaces (3.13.01)
- Establish a mechanism to scan and detect malicious code at a system's entry and exit points and eradicate any such code found (3.14.02).
- Monitor system for attacks, potential attacks, unauthorized connections or uses of the system, inbound and outbound communications (3.14.06)
- Monitor and report incidents (3.06.02)
- Monitor and scan for vulnerabilities (3.11.02, 3.12.01, 3.14.01);
- Identify, control, and monitor authorized maintenance personnel and tools (3.07.04, 3.07.05, 3.07.06); and
- Monitor physical access to the facility where the system resides (3.10.02).
Personnel:
- Enforce approved authorizations (3.01.02, 3.01.03);
- Training system users (3.01.22, 3.02.01, 3.02.02);
- Identify when personnel travel to high-risk locations and have policies for that (3.04.12); and
- Incident response training and testing (3.06.03, 3.06.04), have a plan in place (3.06.05, 3.15.02, 3.15.03, 3.17.01); risk assessment and response (3.06.05, 3.11.01, 3.11.04);
Physical Facilities and Equipment:
- Screen individuals prior to authorizing access (3.09.01); disable and revoke access after termination (3.01.01, 3.09.02). Review access if transferred or reassigned (3.09.02);
- Have a list of who has access to the physical facility where the system resides (3.10.01);
- Establish alternate work sites allowed for use by employees and security requirements for working there (3.10.06);
- Prohibit remote access (3.01.12), including remote activation of collaborative computing devices (whiteboards, microphones, cameras, etc.) (3.13.12);
- Control and restrict mobile devices (3.01.18) as well as wireless access (3.01.16);
- Replace unsupported system components. If irreplaceable, have options for risk mitigation or alternative sources (3.16.02);
- Physically control and securely store (3.08.01) and mark media containing CUI (3.08.04), restrict access (3.08.02, 3.10.07, 3.10.08, 3.08.07), sanitize media prior to disposal or release (3.01.22, 3.08.03), and protect during transport (3.08.04, 3.14.08).
- Enforce access protection at entry and exit points to the facility where the system resides (3.10.07).
Miscellaneous Policies on:
- Incident handling (3.06.01);
- Supply chain risk management (3.17.01, 3.17.02, 3.17.03);
- Deny external system services by default (only exceptionally allowed); external services must comply with certain security requirements as defined by the company – the government contractor retains responsibility for managing risk from the use of external system services (3.01.20, 3.16.03); and
- Principles for development or modification of system (3.16.01).
Consulting Dunlap, Bennett & Ludwig's government contracts and compliance team, which does full compliance reviews, can help you and your company ensure you are compliant with the Government's standards while letting you concentrate on developing your business and winning more contracts. We conduct compliance assessments, develop compliant policies and procedures, create full systems of internal controls/checks and balances, and train our clients' functional teams on their roles and responsibilities for compliance. To learn more about Dunlap Bennett & Ludwig and how we can help you, call today at 800-747-9354 or email us at clientservices@dbllawyers.com.
Footnotes
1. https://nvlpubs.nist.gov/NIST.SP.800-171r3.pdf
2. https://nvlpubs.nist.gov/NIST.SP.800-171Ar3.pdf
3. https://csrc.nist.gov/pubs/sp/800/171/r3/final
4. https://dodcio.defense.gov/CMMC/About/.
5. https://www.ibm.com/reports/data-breach.
6. This is not intended to be an exhaustive list and should not be relied upon in place of reading NIST SP 800-171r3. A full table of changes can be found here: https://csrc.nist.gov/files/pubs/sp/800/171/r3/ipd/docs/sp800-171r2-to-r3-ipd-analysis.xlsx
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.