Posted on

NIST SP 800-171 and DFARS Clause 7012

NIST SP 800-171 & DFARS Clause 7012 .

New Cyber Security Regulations

For small businesses planning to business with the U.S. Government and Department of Defense, new cyber security and incident reporting rules will apply. The rules can impact your contract work and the data sent, received or created as part of those efforts. These rules are primarily codified in the National Institute for Science and Technology Special Publication 800-171 Privacy Controls for Federal Information Systems and Organizations and Clause 252.204-7012 to the Defense Federal Acquisition Regulation Supplement. For brevity sake, these are referenced as NIST SP 800-171 and DFARS Clause 7012. Both may have an impact depending on the contract and type of work being done. Conversely, neither may be required – it’s all about the contract, agency and type of work.

NIST SP 800-171

NIST SP 800-171 outlines the basic cyber security measures and controls that must be implemented to protect specific information on non-federal information technology (IT) systems – systems not owned by the Federal Government. Meaning those systems owned, used, or contracted by the small business performing the work. The rules may also apply to suppliers used by the contract holder. NIST SP 800-171 outlines 14 families of security controls that must be considered and implemented. Within these 14 families, a total of 110 specific controls are highlighted. These controls are excerpted from NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. So, the some of the same controls that are used by the government on their own systems, are required to be used on yours to protect specified information. But what information is that?

The intent of the government’s efforts is to protect sensitive information relating to government operations and activities. This is not classified information. Rather, it is information identified as important enough not to be released publicly. The term for this information is Controlled Unclassified Information (CUI). The types of information that may be categorized as CUI may include: critical infrastructure data, privacy information, financial information, intellectual property and many others. Quite frankly, the importance of the information in these categories should obviously be protected and is often required protection under other rules we’re familiar with: HIPAA and PCI to name two. The identification and categorization of CUI is the responsibility of the National Archives and Records Administration, under executive order 13556. The types of information comprising CUI are detailed in the CUI Registry.

DFARS

But where does DFARS Clause 7012 fit in? Clause 7012 is specifically applied to U.S. government contract work with the Department of Defense (DoD). The DoD acknowledges the importance of protecting CUI and, when appropriate by contract, specifies that CUI exists within the program scope and must be protected. This is where the term Covered Defense Information (CDI) arises. CDI is CUI specified by the DoD as requiring protection. Almost as many abbreviations as words in that sentence. In addition to requiring the protection of CUI, Clause 7012 includes more rigorous reporting requirements should a suspected compromise or breach of CUI occur. This reporting requirement is a good thing as it can generate availability of additional resources to help investigate and resolve the suspected release.

The Consideration of Compliance

Another important consideration is that the government must specify what information or results of contract work is categorized as CUI. This must be specified in the contract language so that the requirement for protection is unambiguous. As a contractor and small business, we certainly want to know what we’re getting into. Similarly, if the contract is with the DoD, the contract must highlight what information is CUI and must be protected as CDI. The requirements for protection of CUI and CDI apply to all efforts within the scope of the contract, so careful consideration of downstream vendors and suppliers is necessary to determine if they must be similarly compliant. When in question, contact your contracting officer or representative – better safe than sorry.

For many businesses large and small, these additional protection requirements may appear extraordinarily burdensome. Frankly, I welcome the focus and motivation. We’ve all seen the media reports of sensitive information being disclosed, either accidentally or by malicious activities. While some might think small business can sneak under the radar, quite the opposite is true. Small businesses are often the biggest targets of adversarial activity. What some might fail to recognize, is that the protections required under NIST SP 800-171 often correlate directly with other rules that must be complied with. Standards such as Payment Card Industry Data Security Standard (PCI-DSS) and the Health Insurance Portability and Accountability Act (HIPAA) both require similar protections. The controls themselves are similar to those outlined in the Center for Internet Security (CIS) Top 20 Controls and the International Standards Organization 27002 guidelines for implementing security controls. Of course, we want to protect our business operations and intellectual property too, so having a robust and secure information technology system is also good business.

At Assured Bridge, we’ve created services and resources to ease the path to compliance with NIST SP 800-171 requirements. We call this compliance-as-a-service. We offer complete secure operating environments, secure network and communications solutions and the resources to help you meet and maintain the security foundations necessary to meet your contract commitments.

References cited in this post:

Certified Information System Security Professional Daniel Bjorklund is the information assurance and cybersecurity subject matter expert for Assured Bridge LLC, a company specializing in cybersecurity compliance solutions. With over 20 years’ experience in U.S. military intelligence and security operations, plus significant involvement in government, commercial and private sector cybersecurity initiatives, Dan has comprehensive knowledge of today’s rapidly-evolving cyber-dependent world. A recently-licensed pilot and amateur radio operator, Dan lives with his wife in South Carolina.
Dan can be found on LinkedIn (https://www.linkedin.com/in/dbjorklundcissp/) and Twitter (https://twitter.com/IASE_at_large)