The National Institute of Standards and Testing has recently published a new document that should help guide organizations that must comply with the CUI/CDI regulations, such as DFARS 252.204-7012 and FAR CFR 32 Part 2002.
They announced the release of this draft publication this month, along with the following information:
It’s crunch time for government contractors. They only have until Dec. 31, 2017, to demonstrate they are providing appropriate cybersecurity for a class of sensitive data called Controlled Unclassified Information (CUI)(link is external). Otherwise, they risk losing their contracts. For organizations that may be struggling to meet the deadline, the National Institute of Standards and Technology (NIST) has a new publication intended to help.
NIST’s Draft Special Publication (SP) 800-171A(link is external), Assessing Security Requirements for Controlled Unclassified Information, is a guideline for any organization seeking to comply with the CUI regulation governing the safe handling of information that is important to the U.S. government. CUI is a diverse classification that includes information involving privacy, proprietary business interests and law enforcement investigations.
DoD contractors of all sizes must become DFARS 252.204-7012 compliant before the end of 2017. One aspect of that requirement is to perform a Gap analysis of your cybersecurity posture, using the NIST SP 800-171 set of controls. While you aren’t required, yet, to be 100% compliant on all the NIST SP 800-171 controls, it is expected to be a requirement for winning new DoD business and eventually ALL Federal business.
Additionally, Sentar has clients that are being required to meet the NIST SP 800-171 set of controls for State, City, and County Public School systems. We believe this standard will become prevasive throughout most US industries, both government and commercial.
The NIST article confirms this belief:
“Because contractors do business with other organizations, the impact of this requirement will ripple across the private sector,” said NIST’s Ron Ross, one of the publication’s authors. “It will affect other firms that work with contractors, as well as colleges and universities that work on related research grants.”
The NIST SP 800-171A draft, and the eventual final version, helps provide guidance for meeting those controls, as mentioned in the article:
“The guideline provides organizations with a starting point and framework for developing specific procedures to assess NIST SP 800-171’s CUI security requirements. System, information security and privacy professionals can use it to produce evidence they need to determine if they are correctly implementing their security safeguards.
As each organization will have different needs, the guideline is arranged so that users can find the sections relevant to their own circumstances. Its central chapter provides a catalog of assessment procedures for the 14 families of CUI security requirements in NIST SP 800-171, including assessment objectives and potential assessment methods.”
Sentar can also do all the heavy lifting for you, if you want help in this effort. Please just click on Contact Us and we’ll follow up quickly. The holidays are fast approaching and so is the deadline!