Assessing Contractor Cybersecurity of Federal Controlled Unclassified Information – New Guidelines

The National Institute of Standards and Technology (NIST) recently released Special Publication (SP) 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information (CUI). The newly finalized SP is a supplement to their SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, which sets the standards for enhanced security requirements for CUI residing in contractor IT systems.

The new NIST publication is aimed at serving individuals with system development, information security, and privacy responsibilities, and those – whether internal or external – who need to assess their organizations’ CUI protection capabilities and practices.

Areas of Enhanced Security for CUI

NIST organizes their CUI enhanced security requirements into the following ten areas, which they call families in the SP:

• Access Control
• Awareness and Training
• Personnel Security
• Configuration Management
• Risk Assessment
• Identification and Authentication
• Security Assessment
• Incident Response
• System and Communications Protection
• System and Information Integrity

In addition to these ten, NIST includes four families in SP 800-171 that do not contain enhanced security requirements: Audit and Accountability, Maintenance, Media Protection, and Physical Protection.

CUI Security Assessment Procedures

NIST defines the elements of their assessment procedures, which they group by family designations. Each assessment procedure consists of an assessment objective, plus supporting assessment methods and objects to aid the assessment. Each objective includes a set of determination statements related to the CUI enhanced security requirement being assessed. The determination statements include organization-defined parameters (ODP) that are part of selected enhanced security requirements. Since these determination statements reflect the content of the CUI enhanced security requirements, they effectively link the assessment results to the requirements, providing traceability. The assessment findings determine if the CUI enhanced security requirement has been satisfied.

Assessment objects deal with the specific items being assessed and “can include specifications, mechanisms, activities, and individuals,” according to the guidance. Assessment methods include examination (reviewing, inspecting, observing, studying, or analyzing assessment objects); interviewing (holding discussions with individuals or groups to gain understanding, clarification, or evidence); or testing (exercising assessment objects under specified conditions to compare actual with expected behavior.) The assessment methods have associated attributes of depth and coverage, which help to define the scope and level of effort involved.

The new guidance also provides a catalog of assessment procedures for the CUI enhanced security requirements, including assessment objectives and potential assessment methods and objects for each procedure.

Contractor Implications

Detailed evaluation standards and procedures may seem complex and peripheral to many in the federal contracting world, especially if the focus is dominated (as it should be) by meeting our federal customers’ needs – understanding what goals they are wanting to achieve, what objectives they are working to accomplish, what challenges they are seeking to overcome, or what problems they are trying to solve.

However, the growing scrutiny of contractor internal cybersecurity and the overall cybersecurity of the federal supply chain will continue to be nearly as critical in the minds of federal leaders as the effectiveness (and cost) of the solutions and services that contractors provide to agencies. That is why we see a growing number of contractor-impacting cybersecurity provisions in government-wide policies, such as last May’s Cybersecurity Executive Order 14028 and others.

In this market a contracting company’s cybersecurity posture and practices have increasingly become a competitive necessity, especially in IT. A look at competition rates for Department of Defense (DoD) contract dollars shows that competition for IT contracts is already much stronger than the overall DoD contracting market.

But the cyber-scrutiny does not stop with IT contracts, of course. If the DoD continues to move toward requiring all contractors and suppliers who handle CUI to meet the security standards in NIST 800-171 – regardless of the final disposition of the Cybersecurity Maturity Model Certification (CMMC) program – then contractor internal cybersecurity will strongly influence, if not determine, overall competitiveness. This is not just about DoD contracts. A growing number of civilian sector agencies are enforcing the same NIST standards and eyeing CMMC or something like it.

As if market competitiveness is not enough motivation to get your cyber house in order, the Justice Department has launched the Civil Cyber-Fraud Initiative (CCFI) to pursue cybersecurity-related fraud charges against government contractors and grant recipients who knowingly misrepresenting their cybersecurity practices or protocols.

Practically speaking, contractor organizations will need to ensure that their cybersecurity for CUI is comprehensive and addresses each of the ten NIST enhanced security requirement families noted above. The procedures provide a pathway and rubric which those responsible for cybersecurity within these firms may leverage to evaluate their current cyber posture, to identify gaps to fill, and to prepare for eventual formal assessments.

For companies that will continue to be permitted to self-attest to meeting NIST standards at whatever level that is required of them, these NIST documents point you to the way to internally evaluate in a manner that would pass muster under scrutiny.