NIST Issues Proposed Revision to Cybersecurity Controls and Requirements to Protect Information on Non-Federal Information Systems
On May 10, the National Institute of Standards and Technology (NIST) released a public draft of Revision 3 to NIST Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (Revision 3), which establishes security controls that apply to non-federal information systems that store, process, or transmit controlled unclassified information (CUI) or that provide protection for such components, and only where no other applicable law, regulation, or policy prescribes different or more specific safeguarding requirements. This proposed revision accounts for over a year of data collection and public comments to better align cybersecurity requirements between federal and non-federal information systems to address specific threats to CUI, such as defense information, export-controlled information, health information, personally identifiable information, critical energy infrastructure information, and intellectual property.
NIST stated in its release of the draft Revision 3 that “[m]any trade-offs have been made to ensure that the technical and non-technical requirements have been stated clearly and concisely while also recognizing the specific needs of both federal and nonfederal organizations.” A summary of the updates is provided below. Comments on the proposed revision are due July 14, 2023.
SP 800-171 outlines security requirements that government contractors should (and in some instances, may be required to) implement in covered information systems. Federal agencies using federal information systems to process, store, or transmit CUI must comply with NIST standards, including those specified in Revision 5 to NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations, which outlines controls and technical tools used to develop and secure federal information systems. The U.S. government has increasingly required that contractors put in place similar security measures for non-federal information systems that store, process, or transmit CUI. The updates set out in Revision 3 seek to harmonize SP 800-171 with SP 800-53, and in turn make it easier for contractors to comply with the requisite cybersecurity measures. Several key changes are noted below.
- Elimination of Basic Security Requirements Compliance: Revision 3 removes the distinction between basic security requirements from FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, and derived requirements from SP 800-53. Previously, contractors were required to comply with both basic and derived controls, but through Revision 3, contractors will only be required to show compliance with derived controls.
- Updated Security Requirement Specifications: Prior to this revision, certain security requirements in SP 800-171 were defined at a high-level, leaving them open to interpretation by contractors. In turn, those entities assessing contractor compliance could have differing expectations or interpretations of whether the organization had in fact satisfied the relevant requirement. The latest revision seeks to eliminate that ambiguity by providing more detail, both regarding the requirements themselves as well as the associated assessments. While this may offer clarity regarding the U.S. government’s expectations of non-federal information systems, the added detail could have unintended consequences. The current SP 800-171 standards were intended to provide contractors with some level of flexibility, including based on risk assessments. Even with that flexibility, many contractors (particularly small businesses) have faced compliance challenges, and making the requirements more prescriptive may only exacerbate those difficulties.
- Addition of New Security Requirements: With Revision 3, NIST added new security requirements to several security requirement families, including: Access Control, Identification and Authentication, Physical Protection, Risk Assessment, Systems and Communication Protection, Systems and Information Integrity, and to the newly added security requirement families — Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR). While these additions did not significantly increase the number of security requirements imposed by SP 800-171, including because several existing requirements were withdrawn as outdated or redundant, contractors should be on the lookout for multi-part requirements imposing new obligations.
- Development of a Prototype CUI Overlap: Prior to the issuance of Revision 3, many organizations expressed concerns over the different security and risk management frameworks applied to the public and private sectors. In response, NIST added a “Prototype CUI Overlay” to SP 800-171. NIST developed this prototype to show how the moderate control baseline in SP 800-53 is tailored at the control level and analogizes those to the security requirements necessary to protect CUI.
- Introduction of Organization-Defined Parameters (ODPs): In select security requirements, NIST added ODPs, which afford federal agencies the flexibility to “specify values for the designed parameters.” ODPs can be based on “laws, Executive Orders, directives, regulations, policies, standards, guidance, or mission and business needs.” Once specified, those ODPs will become part of the requirement. This could create various challenges for contractors, particularly those that do business with a variety of federal agencies and may therefore be forced to comply with different, and potentially conflicting, customer requirements.
These and other changes captured in Revision 3 will affect contractors that perform work for a variety of federal agencies, but the impacts may be most acute for defense contractors. The Department of Defense (DoD), through Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, requires contractors with information systems that store, process, or transmit covered defense information (essentially, CUI obtained in the performance of a DoD contract) to comply with SP 800-171. DFARS 252.204-7012 generally requires contractors to comply with the SP 800-171 security controls in effect when the solicitation was issued, but notes the contracting officer’s ability to authorize otherwise. Other agencies are also expected to roll out cybersecurity requirements that utilize SP 800-171 standards. Thus, contractors should be prepared to comply with Revision 3, not only for forthcoming procurements, but also because agencies may elect to implement the security controls and requirements therein through contract modification.
Revision 3 could also affect the long-awaited Cybersecurity Maturity Model Certification (CMMC) program. Recent DoD guidance indicates that CMMC will establish three “Maturity Levels” (down from the five Maturity Levels under so-called “CMMC 1.0”). Contractors that store, transmit, or process CUI on non-federal information systems must meet Maturity Level 2 (formerly Maturity Level 3), which is based on SP 800-171 standards. It is not yet clear whether or how CMMC will incorporate any SP 800-171 revisions and, if it does, how that might affect contracts that are certified under existing SP 800-171 standards.
In addition to the proposed Revision 3 to SP 800-171, contractors should also be aware of a recent notice issued by the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security. CISA is requesting comments on a draft self-attestation form that software producers would need to complete to confirm compliance with the secure software practices outlined in NIST SP 800-218, Secure Software Development Framework, before their software could be used by the federal government. CISA anticipates federal agencies adding their own agency-specific requirements to the self-attestation form. A draft version of the form can be found here. Comments on the self-attestation form are due by June 26, 2023.
© Arnold & Porter Kaye Scholer LLP 2023 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.