NIST Special Pub 800-171 sets the rules for protecting information that defense contractors create and/or store called “Controlled Unclassified Information” or CUI. CUI includes the information that would be very enticing to foreign governments such as Russia, China and others.
SP 800-171 was originally released last year and NIST publications usually have a 3 to 4 year revision cycle, so seeing a revision after just one year is very unusual.
The controls specified in this document are based on NIST Special Pub 800-53, which is now on it’s 5th revision. People in the government and defense communities know that document very well.
The objective of Both SP 800-171 and SP 800-53 is to protect the confidentiality of sensitive information and also the integrity and availability of that information. The Confidentiality, Integrity and Availability triad, referred to as C-I-A, is the foundation of all DoD information security programs.
As we see more and more industrial espionage – whether private or state sponsored – the government has gotten very concerned about contractors protecting both information that they create under government contracts and information that they receive from the government in order to execute those contracts. While SP 800-171 deals with unclassified information, the government is also working very hard, separately, to protect classified information after a number of massive classified information breaches such as Bradley Manning, Edward Snowden and Harold Martin III. While Manning was a solider and hence a government employee, both Snowden and Martin were civilian contractors working for the NSA but on the payroll of Booz, Allen, Hamilton.
As more and more data is being stored electronically, attackers from around the world are attempting to steal that information. When the information was locked in a file cabinet, it was very difficult for someone in, say, Kiev, to steal it. They had to fly halfway around the world and run a much higher risk of getting caught. The odds of a Russian being caught and prosecuted, while not zero, are pretty close to zero.
So what does SP 800-171 Rev 1 say?
The DFARS are the rules that DoD contractors must follow if they are applying for or awarded a contract. The DFARS specify an amazing amount of things that contractors can or cannot do. Specifically, DFAR 252.204-7012 (Safeguarding covered defense information and cyber incident reporting) is now a MANDATORY contract clause and MUST “flow-down” to every sub-contract that a prime defense contractor is awarded. That means that tens of thousands of businesses are obligated to follow what NIST SP 800-171 says.
The only exception to this rule is for standard, commercial, off the shelf software – like if the government buys a copy of Microsoft Office.
In addition, Federal civilian agencies are beginning to specify compliance with NIST SP 800-171 in their contracts also, meaning even more companies will have to follow these rules.
Companies that are awarded contracts subject to the DFARs must provide adequate security but do not have be in full compliance with SP 800-171 until December 31, 2017. But there is a catch. If a contractor is awarded a contract and is not in full compliance with the safeguards of NIST SP 800-171 right now, they must report any gaps between the protections that are in place today and what will be required when SP 800-171 goes into full effect at the end of 2017 to the Department of Defense within 30 days of the contract being awarded.
Some of the key changes that are a part of SP 800-171 Rev 1 are –
- All references to information systems have been replaced by the term “systems” reflecting the fact that almost everything these days has an information component – from a missile to a smart refrigerator. This newly expanded term also includes industrial control or SCADA systems used in factories and other commercial situations.
- The rules now require the companies to develop, document and periodically update system security plans that describe system boundaries, operating environments, how security requirements are implemented and the relationships with or connections to other systems.
- While this version of SP 800-171 does not REQUIRE the company to create a plan of action with milestones for remediating any gaps, it strongly encourages doing that. A plan of action is likely going to be an important part of defending your current system security plan when the contract auditors pay you a visit.
- Encryption is now REQUIRED on mobile computing platforms (i.e. phones, tablets and laptops).
- Companies are now REQUIRED to scan for vulnerabilities both in SYSTEMS and APPLICATIONS. Given the number of applications that most companies use, this is a big job.
Those are some of the changes. What other major requirements were and are still in SP 800-171? Here are some of those:
- Access control – limiting access to information based on a need to know has 22 separate sub requirements.
- Security awareness training is required.
- Companies must create, protect and retain audit records that allow forensics experts to figure out what happened in case of a security incident.
- Companies must set up a configuration management system that tracks systems throughout their entire lifecycle, including tracking any changes during the years that the systems are in place.
- Enforce the identification of system users including using multi-factor authentication.
- Create and maintain an effective incident response capability that allows for detection, analysis, containment and recovery from events.
- Protect all media – whether electronic or physical – containing controlled unclassified information.
- Screen employees who have access to controlled unclassified information and protect systems after personnel “actions”.
- Implement physical protections for systems.
- Conduct periodic risk assessments that include risks to organizational mission, function, image and reputation.
- Conduct periodic security controls risk assessment to ensure that controls that are in place are effective. This could be implemented by conducting periodic internal and external penetration testing by a qualified and independent third party.
- Protect all communications of sensitive information
As you can see, for those organizations handling sensitive information, the rules for protecting are pretty robust and companies will need to up their game in order to get into compliance.
It is unlikely that most companies are in compliance with these rules today, The good news is that they have until December 31, 2017 to get there – which means that 2017 will be a busy year for information security.