Changes are Coming to NIST 800-171
Recently released standards that govern the process of securing unclassified controlled information have been scheduled in late 2018 to undergo a revision before being finalized early on in 2019. These new processes will build off of the requirements contained in the initial NIST 800–171 that was released two years ago.
NIST 800–171 generally requires certain measures to be taken when nonclassified information is located on nonfederal servers. It is aimed at ensuring that sensitive information is protected and secured when the information resides outside of the federal government.
While this NIST standard is aimed at protecting information, it ultimately becomes a matter all contractors must come to know in order to stay in business. These standards are incorporated into all contracts with the Department of Defense through a certain contractual clause.
DOD contracts are governed by several sets of federal regulations. In order to keep their contracts with the United States Government, contractors must comply with these regulations. If contractors do not comply with the regulations, they will either not be selected for contracts at all, or could lose the contracts they have through a process called termination for default. If you are a contractor, a termination for default is a terrible thing for your business to go through.
One of the sets of regulations that govern DOD contracts is called the DFARS. These regulations are DOD-specific and contain requirements that are in addition to the Federal Acquisition Regulations. The DFARS has incorporated NIST 800–171 into every single DOD contract. In other words, if you are a contractor and want to receive a DOD contract, you must attest that you have complied with these standards before you can be awarded the contract. This requirement is not only found in over a million federal contracts, but it must be included in every single subcontract as well.
Contractors need to be aware that their original certification and efforts at compliance are not enough to stay in good standing with the DOD. These standards are continuously revised in order to cover new threats and make the protections broader than they currently are. When a contractor certifies that they are complying with the standard, that certification includes the revisions, not just the original standard. In other words, if you do business with the federal government, you are obligated to keep track of each revision and continuously incorporate these revisions into your security measures if you want to continue doing business with the federal government.
By the end of this year, NIST will be releasing a draft of changes to the existing guidance. The public will have a chance to submit their comments on the proposed guidance before it becomes final next spring. These changes will propose additional new levels of protection that contractors will need to learn.
These new measures will be optional in some instances; however, agencies can also make them mandatory if they choose. For that reason, those that do business with the government need to familiarize themselves with this new update so they are not caught off guard in the future. The update deals with the area of “advanced persistent threats.” These threats are faced when handling “critical defense and infrastructure information.” The update will address how contractors can add a new layer of security to counteract these threats.