NIST Issues Revisions to Special Publication 800-171
On August 16, 2016, the National Institute for Standards and Technology (NIST) released draft revisions to Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (SP 800-171 Rev. 1). SP 800-171 is the primary standards document which the Department of Defense (DoD) has relied on in promulgating its Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity rules for defense contractors1 and it will likely be the standards document upon which the anticipated controlled unclassified information (CUI) rule governing all federal contractors will be based.
The most substantive change to the publication involves the addition of a new standard, PL-2 (System Security Plan), which is derived from NIST's security and privacy controls standard for federal information systems and organization (SP 800-53). The revisions contain a substantial discussion of the new standard:
Nonfederal organizations describe in a system security plan (SSP), how the CUI requirements are met or how organizations plan to meet the requirements. The SSP describes the boundary of the information system; the operational environment for the system; how the security requirements are implemented; and the relationships with or connections to other systems. When requested, the SSP and any associated plans of action and milestones (POAM) for any planned implementations or mitigations should be submitted to the responsible federal agency or contracting officer to demonstrate the nonfederal organization's implementation or planned implementation of the CUI requirements. Federal agencies may consider the submitted SSPs and POAMs as critical inputs to an overall risk management decision to process, store, or transmit CUI on an information system hosted by a nonfederal organization and whether or not to pursue an agreement or contract with the nonfederal organization.
Notably, the revisions also indicate that the anticipated Federal Acquisition Regulation (FAR) clause that will apply to all federal contractors in protecting CUI will not be issued until 2017. SP 800-171 previously indicated the clause would be issued in 2016.
Although the revisions are not comprehensive, federal contractors, particularly those engaged in work related to compliance with the DFARS rules, should note the changes to NIST 800-171 in the revisions. However, we also note that the DFARS rule generally requires compliance with the version of NIST 800-171 in effect at the time the relevant contract is awarded, so only contracts going forward will require compliance with the revisions, once it is finalized. NIST is accepting public comments on the revisions until September 16, 2016.
See Arnold & Porter Advisory, "Two More Years: DoD Gives Defense Contractors Until December 31, 2017, to Comply With Baseline "Adequate" Cybersecurity Requirements"; Arnold & Porter Advisory, "Department of Defense Publishes FAQs on DFARS Cybersecurity Interim Rule"; and "'Adequate Security' and Full Disclosure: The DOD's New Cyber Rules for Contractors", 104 Fed Cont. Rep. (BNA) No. 970, (Sept. 22, 2015).