The Cybersecurity Standards Driving Contract Requirements Get an Update from NIST

The federal agency setting technical standards for protecting sensitive government data has updated their guidance for agencies and contractors. The National Institute of Standards and Technology (NIST) recently released updated guidance on how federal agencies and government contractors should protect the confidentiality of Controlled Unclassified Information (CUI) on their systems. NIST is the federal standards-bearer for all-things-cybersecurity (and many other technologies), impacting how agencies and their supporting contractors address and implement their cybersecurity practices, processes and solutions.

Updated Cybersecurity Requirements and Assessment Guidance

The latest updates from NIST include the final public draft (FPD) of NIST SP 800-171 Rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, which contain updated security requirements for contractors systems “that process, store, or transmit CUI or that provide protection for such components.”  

Feedback received on the initial public draft (IPD) of Rev. 3 from last May led NIST to make changes to the 800-171 Rev 3 FPD to reduce the number of organization-defined parameters (ODP); reevaluate the tailoring categories and tailoring decisions; and restructure and streamline the discussion sections in the FPD.

Along with the CUI security requirements above, NIST also released an accompanying initial public draft (IPD) set of assessment procedures – SP 800-171Ar3 (Revision 3), Assessing Security Requirements for Controlled Unclassified Information – that organizations can use “to generate evidence to support the assertion that the security requirements [in 800-171 Rev. 3] have been satisfied. One substantive element of this IPD is that NIST has “restructured the assessment procedure syntax to align with NIST SP 800-53A,” Assessing Security and Privacy Controls in Information Systems and Organizations, 5.1.1, which provides a guidance for assessing security and privacy controls within a risk management framework.

The public comment period for both 800-171 documents is open through January 12, 2024, with NIST planning to post the comments they receive on their Protecting CUI project site after the due date. Final versions will follow some time afterward.

Contractor Implications

Contracting companies that have been paying attention to the federal cybersecurity compliance landscape will recognize the NIST SP 800-171 and other relevant standards that continue to shape expectations and requirements for contractor cybersecurity practices, in the immediate and over the long-term. Already, contractors are expected to be adhering to these standards in the fulfillment of their contracted services with federal agencies.

To further codify this, agencies are using the 800-171 as the underlying standards for more formal cybersecurity verification efforts. The emerging Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) program is based upon these standards, and DoD contractors are anticipating the issuance of the DoD’s the CMMC proposed acquisition rule by the end of November.

The 800-171 is also the standard against which the Department of Homeland Security (DHS) will measure contractor cybersecurity for their recently announced Cybersecurity Readiness Factor (CRF) plan.

Increasingly, we will see more agencies adopt the NIST standards as contractual requirements used to inform contract award decisions. Contractors that fail to measure up in both their cybersecurity practices and their ability to document their compliance will be at a significant competitive disadvantage in this market.

---

For more of Deltek’s perspective on the federal cybersecurity market see our report, Federal Cybersecurity Market, 2023-2027.