United States: NIST's Highly-Anticipated Security Requirements Draft Impacts Government Contractors' Treatment Of CUI

Last Updated: December 20 2017
Article by Townsend L. Bourne
Sheppard Mullin Richter & Hampton

Your LinkedIn
Connections at Firm

Government contractors have until December 31 to implement security requirements from NIST Special Publication (SP) 800-171 (here) as mandated by the Defense Federal Acquisition Regulation Supplement (DFARS). The requirements include provisions for protecting Controlled Unclassified Information (CUI) (government sensitive but unclassified information; see the CUI Registry here) in nonfederal systems and compliance is expected soon to be required under civilian agency contracts through a forthcoming FAR case. How to implement these requirements has caused some confusion. In response, on November 28, 2017, NIST released its highly-anticipated draft publication providing assessment procedures.

As we reported on in more detail in our GovCon blog, NIST states that its draft publication – NIST SP 800-171A on "Assessing Security Requirements for Controlled Unclassified Information" – will "help organizations develop assessment plans and conduct efficient, effective, and cost-effective assessments of the security requirements in Special Publication 800-171." The draft special publication includes assessment procedures relating to each of the security requirements in the fourteen families included in NIST SP 800-171. These include requirements for limiting access to controlled information, tracking and reporting cyber incidents, and employee training. The draft publication also describes methods by which companies can "generate evidence to support the assertion that the security requirements have been satisfied." Thus, it appears an organization that conducts the suggested assessments in the draft publication and generates supporting documentation can present this to its agency customer as proof of compliance with NIST SP 800-171.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Townsend L. Bourne
Events from this Firm
Breakfast with Europe - Webinar Series
21 Dec 2017, Webinar, Los Angeles, United States

Stay tuned on the latest developments in Europe that may affect your business and join Sheppard Mullin’s Antitrust & Competition “Breakfast with Europe” drive-time webinars, bringing you up to speed on what you need to know about the month back, the present and month forward in European competition law developments.

The Cloud And FedRAMP Virtual Class
30 Jan 2018, Webinar, Los Angeles, United States

Augmented by guest lecturers from government and the private sector, this webinar series will combine teaching of the key rules with war stories from the front lines and practical advice from experienced practitioners.

Healthcare Business Services & Healthcare I/T Services Industry Deal-Flow Breakfast
14 Feb 2018, Speaking Engagement, Los Angeles, United States

Please join us for a networking breakfast and a discussion of activity in the healthcare space including current deal profiles by a handful of investment banking professionals focused on this area.

Click here to see More Events from this Firm