For the past several years protecting what the federal government calls Controlled Unclassified Information (CUI) has been a high priority concern, especially since several major information breaches over the last decade that exposed the personal data of tens of millions of private citizens and federal and state employees. These include the largest one yet, the hacking of the U.S. voter database in 2015, which involved the information of 191 million people, and the next largest, the breach of the National Archives and Records Administration in 2009, affecting 76 million.
Since the beginning of 2018 individuals, companies, and contractors that wish to do business with the federal government agencies such as the Department of Defense (DoD), NASA, the Department of Education (DoE) and other major procurers, whether civilian or defense, are required to comply with the regulations outlined in NIST SP 800-71.
The new requirements have been the source of much confusion within businesses wanting to provide products or services to the government, especially when it comes to compliance. The regulations are complex enough that a company should consider bringing in assistance from NIST SP 800-71 Compliance Consultants. However, it’s important for businesses to have a basic understanding of what these regulations consist of and what it takes to be compliant. This article will attempt to answer those questions.
What Is NIST SP 800-71?
The new guidelines have their origin in Executive Order 13556 signed by President Obama in 2010. This EO mandated the Controlled Unclassified Information (CUI) program, which was intended to standardize the handling of sensitive information across government agencies. Previously each department and agency had its own in-house protocols for handling data, which could be confusing, inefficient, and insecure, especially when sharing information between departments and with outside entities. The National Archives and Records Administration was put in charge of administering the CUI program.
NARA worked in conjunction with the National Institute of Standards and Technology (NIST), which develops computer security standards for the government, to develop specific guidelines for protecting data. The result was a document called “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”, or NIST Special Publication 800-171 for short, which represents the final version of the guidelines. The deadline for compliance, or to show good reason for the delay, was December 31st, 2017.
The Information Security Oversight Office (ISOO), the department within NARA responsible for overseeing implementation of the CUI program, in 2016 and 2017 released two notices, 2016-01 and 2017-01, outlining guidance and recommendations for implementation of and compliance with the CUI program.
John Fitzpatrick, director of the ISOO, stated, “NIST SP 800-171 is critical to our strategy to strengthen needed protections for CUI. Together with NARA’s recently-proposed CUI regulation and a planned Federal Acquisition Regulation clause, we will bring clarity and consistency to the handling of CUI across government.”
What Constitutes CUI?
It would be well to briefly describe just what Controlled Unclassified Information is. The simple definition is that it is any type of information that is considered to be potentially sensitive by the government and should be protected by standards and procedures, but not to the level that it needs to be designated as classified.
Each government agency is required to publish a public list of what is considered to be CUI and why it is considered to be such. The personal information of American citizens is considered to be CUI, as is any data concerning transactions with contractors as well as patents and inventions, for some examples.
As an individual, business, or contractor working with a government agency, you should be familiar with that agency’s definition of CUI is.
NIST SP 800-71 Compliance
To do business with the government, any entity that stores, transmits, or processes information considered to CUI for a state or federal agency must be in compliance with 14 categories of security requirements as listed and defined in NIST SP 800-71, listed below.
In addition, NIST’s Manufacturing Extension Partnership (MEP), which provides information for smaller manufacturers, has published NIST Handbook 162, “NIST MEP Cybersecurity Self-Assessment Handbook for Assessing NIST SP 800-71 Security Requirements in Response to DFARS Cybersecurity Requirements” which is quite a mouthful but should be quite helpful for anyone wanting assistance with compliance.
As usual with compliance with government regulations, the process can be complex, confusing, and difficult. Taking the measures to get a company into compliance can take six to eight months. It’s highly recommended that a company retain the services of a qualified NIST SP 800-71 compliance consulting firm to streamline to process and to avoid mistakes that could lead to lost business.