author photo
By Courtney Theim
Tue | Jul 11, 2017 | 7:25 AM PDT

Companies with federal contracts will need to be compliant with the NIST 800-171 revision by December 31, 2017. In an exclusive interview with Dave Gray of CyberDefenses, he highlights key changes with the regulation moving forward. Learn more and make sure you're prepared with live or on-demand courses offered in July and August.

What is the significance of the NIST 800-171 revision? How will we be affected as security professionals?

Gray: The current version of NIST 800-171 is revision one, which came out in December 2016. Since that revision is relativity new, persons reading it should double check to make sure they have the current version, that they didn’t pick one up prior to that point in time. Security professionals will likely see this as a step in the right direction, but not necessarily the final solution to improving security because the National Institute of Standards and Technology, and the primary author, the National Archives and Records Administration—otherwise known as NIST and NARA—purposely chose to allow broad latitude in how security controls are implemented. For example, multifactor authentication (MFA) can be implemented in any format. A user is not required to use the latest and greatest guidance from NIST on multifactor authorization, which discourages certain options such as using SMS texting. But that method would be perfectly allowable under the NIST 800-171.

SecureWorld: So, if a new "best practice" comes out, you’re not technically required to automatically adopt that?

Gray: It’s not a question of adopting or not adopting, it’s a question of the particular mechanism that you chose as a security professional for any of the particular security controls that are required under 800-171. If you’re familiar with security controls, there are almost an infinite variety of “best practices,” and standards and capabilities, and so NIST is purposefully not being prescriptive. They are simply stating the high-level requirement. And I’m sure this is due to the fact that many, if not the majority, of companies affected are brand new to security controls. To be overly prescriptive could be company-breaking for those without the budget or resources for some of the potential methods that can be used.

Is this new regulation coming from the cybersecurity act that the president signed? If so, does it really fulfill what he had promised for cybersecurity during his campaign?

Gray: Yes, President Trump did sign an executive order. However, this is just one more step in a series of steps. CUI requirements came from President Barack Obama’s November 2010 executive order, number 13996, Control of Unclassified Information. The executive order established a government-wide CUI program to standardize the way the executive branch handles unclassified information. Knowing how fast the government works, no one should expect requirements more recent than 2010.

When President Donald Trump signed his cybersecurity executive order this past May, it focused on three areas: cybersecurity of federal networks, cybersecurity of federal infrastructure, and cybersecurity for the nation. Trump’s order requires federal agencies to use the NIST cybersecurity framework for improving critical infrastructure, using the Critical Infrastructure Framework which came out in 2011 (under another of Obama’s executive orders on the same subject). However, Trump’s order adds accountability by requiring the heads of federal agencies to report their status. Trump’s order adds emphasis on the critical portions of our infrastructure, referred to in the 2013 order, for which the risk of attack includes catastrophic, regional, or national impact. Trump's order includes a joint report of agency cybersecurity priorities for a number of agencies.

And finally, which will interest a lot of people who are in the cybersecurity career space, Trump’s order addresses training for the cybersecurity workforce of the future. The 2017 order continues work started in previous administrations, and helps maintain momentum as the country moves forward in protecting confidentiality, integrity, and availability for data. Future efforts may focus more on action and less on studies and reports, but the current executive order is definitely a step in the right direction.

How does the government know whether or not you’ve fulfilled what this revision is requiring? Is this a sufficient amount of time to become compliant?

Gray: The 800-171 actually came out quite some time ago, and the changes to the Federal Acquisition Regulation (FAR) and the Department of Defense Federal Acquisition Regulation Supplement (DFARS) were also drafted quite some time ago, but they've only been in the public eye since probably the beginning to middle of last year.

The method for communicating compliance is based on self-attestation. An interesting twist to the NIST 800-171 self-attestation is that NARA does not provide details or examples of what is acceptable. So again, non-prescriptive. Details are left to the individual contracting officers, many of whom don’t have a security background. There is no certification program used similar to federal cloud service providers called FedRAMP. They have a certification program called Third Party Assessment Organizations (3PAO). In this case, it’s going to be up to each contracting officer.

If you can think of all the different contracting officers that the federal government has, each one of those can have their own particular style or flare. If you’re a subcontractor working for five different prime vendors, you might have five different formats to show your compliance. Personally, I built a generic self-attestation document based on the GSA FedRAMP template, mostly because it provided a good starting point. I’m working with a vendor now whose primary vendor is using surveys to help determine if their vendors are compliant. Interestingly enough, at least one prime vendor includes a survey with questions from an entirely different security framework, referred to as the Center for Internet Security 20 Critical Controls, and that’s in addition to their survey for the NIST 171-800 security controls. Instructions for both surveys essentially define successful implementation as controls that are fully implemented, which kind of leads to a problem when you’re looking at the NIST 800-171. If you’re not someone who has gone very deep into this, you may not have enough detail to accurately recognize what in fact is successful. At first glance, 110 controls under the 800-171 are pretty straightforward; but upon closer examination you’ll see that there’s an appendix in the document that provides detailed mapping to a control framework that is based on significantly more granularity—and that essentially doubles the number of controls.

Only organizations with a long history of information security due diligence will be able to achieve compliance before the DFARS deadline of December 31, 2017. Other organizations can either expect to conduct a crash course in information security, or they’ll need to document gaps using a document format known as a POA&M, which stands for Plan of Actions and Milestones. The FAR—the Federal Acquisition Regulation for non-Department of Defense federal agencies—has a more realistic schedule. Thee FAR approaches it with a multi-tiered style based on six-month increments. Essentially, the FAR gives top-level agencies six months to figure out what they’re going to do, including directions for their suppliers. Those suppliers have their own opportunity to spend six months doing the exact same thing. And this has to happen all the way down through the supply chain. For every organization that’s supplying another supplier there is an opportunity to figure out what they need to do to become compliant. Even with these short timelines—because six months is really short in the security world—if they’re not compliant it could negatively affect their ability to win new contracts. Organizations simply cannot flip the switch and become compliant by purchasing products and security solutions. They usually combinations of products and services that have to be carefully vetted to be sure they support the organization's business model. True security professionals have a deep respect for the business aspect of running their organization and they recognize they can’t interrupt business just for the sake of security, otherwise they’ll be out of business. What they need to do instead is promote conducting business in a secure fashion.

What is Controlled Unclassified Information? What are they looking for specifically, and what is not included in this description?

Gray: Specifically, Controlled Unclassified Information, or CUI for short, is a relatively new term that takes the place of a number of terms used by various agencies in an attempt to standardize the taxonomy of the language used to describe data classification. Officially, CUI is “information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls, excluding information that’s classified under another act or regulation." What’s not included in CUI is information covered under existing guidance. Some examples of existing guidance might be HIPAA and information that’s already covered under the IRS, such as federal tax information covered under IRS publication 1075. And most significantly, what’s not covered under CUI are the existing classifications in the Department of Defense. Examples include secret, top-secret, and top-secret sensitive compartmented information. If there’s already a document or a regulation that covers federal information, or defense information, then that document takes precedence. However, if there is a gap (like if another regulation does not address multi-factor authentication), then that gap would be filled using the 800-171 guidance instead. NARA manages the complete list of CUI in what they refer to as a CUI registry ( CUI categories, which are required to be dealt with in addition to the 800-171, include all sorts of different things that might come out of a federal agency. Categories include controlled information, critical infrastructure, and emergency management export controls—it’s a very long list. One of the items that folks will many times not think about is Information Systems Vulnerability Information, which is basically information that an organization creates in the protection of their agency’s network and must itself be protected.

SecureWorld: What about information that’s within your legal counsel, within attorney-client privilege?

Gray: Legal is absolutely one of those CUI categories. And law enforcement.

Who does this really affect? What kinds of companies have these federal contracts?

Gray: CUI requirements apply to government information provided to non-federal organizations. Of all the contracts that the federal government has, many have the ability to produce CUI, which then gets sent to either a prime vendor or from a prime vendor down to a sub-contractor. As an example, I’m working with a sub-contractor right now who works for a large defense aerospace corporation, and this particular sub-contractor holds military specific parts. All of those drawings, all of those communications related specifically to the drawings, are all considered CUI. Companies with any contracts, with any of the CUI categories, any company that has a federal contract that involves any of those particular categories, are going to be affected. And that’s again both for the Department of Defense with their DoD Federal Acquisition Regulation supplements (DFARS), or the FAR. And with DFARS, they’ve already put in a change to the master contract that is mandated to be copied and pasted into all contracts, all the way down to the supply chain. DFARS has the first deadline for CUI that requires compliance by December 31, 2017.

What can registrants of this class expect to learn?

Gray: Registrants for this class will learn a great deal about CUI; how to obtain, maintain, and retain the 800-171 compliance for FAR and DFARS contracts. Specifically, we’re going to have four classes grouped into four different major areas.

Part 1 includes understanding what CUI is, why it’s important, and what the consequences are for non-compliance.

Part 2 includes a detailed review of the 800-171, the 14 different security families, and the total of 110 basic and derived security requirements. Essentially, the 110 controls are divided up 14 different ways, and they are grouped by such things as access controls, compliance configuration controls, etc.

Part 3 includes procedures and analysis for how you assess yourself, and you'll go through the assessment process, including the comprehensive underlying requirement details, mandated by the appendix in the back of 800-171 (Appendix D).

Part 4 includes a discussion of the multiple stand-alone products and deliverables built into the 800-171 compliance process. It’s not like you just answer yes or no to 110 questions; some of them actually have complete products that have to be created, all in addition to assuring that you’re yes or no compliant to a certain control. These end products include things such as the self-attestation that I mentioned and a plan of action and milestones. In the event that you’re not 100% compliant, the end products would be specific deliverables that are stand-alone documents, such as a configuration management plan, information security contingency monitoring, information system contingency plan, incident response plan, security awareness plan, and so on. Quite a few stand-alone deliverables have to be created. At first read, if you’re not a security professional and looking at the details of everything required, you may miss a number of things. If you claim you’re compliant and then your prime vendor audits you, it’s quite possible you could be held in violation of contract, or a breach of contract.

Register here for this online course, NIST 800-171: Protect Controlled Unclassified Information (CUI) & Your Federal Contracts, held July 25, July 27, August 1, and August 3.

Tags: GRC,