NIST Proposes Enhanced Security Requirements for Certain Government Contractors

The National Institute of Standards and Technology (NIST) has announced proposed changes to NIST Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The proposed changes are twofold: (1) making minor editorial changes and clarifications to existing SP 800-171, and (2) proposing enhanced security requirements for critical programs and high value assets to protect against the advanced persistent threat (APT) in a new publication, SP 800-171B. These proposals will not only affect the government contractors who are directly subject to the requirements through their agreements with the government, but may also ripple into the private sector. These proposals are open for public comment through August 2, 2019*.

Originally published in 2015, the NIST SP 800-171 controls are designed to set minimal security standards for government contractors that process, store, or transmit controlled unclassified information (CUI). The types of information that are considered CUI are listed in the CUI Registry and includes a wide range of information, from federal taxpayer information to critical defense information. The proposed revisions to SP 800-171, Revision 2 are minor editorial changes; no changes were proposed to the basic or derived security requirements. NIST has stated that a comprehensive update to SP 800-171 will be forthcoming in Revision 3.

However, NIST has proposed new rigorous security standards for nonfederal systems and organizations that either support critical programs or are part of high value assets – such as weapon systems – in its new publication, SP 800-171B. NIST’s SP 800-171B builds upon the security requirements laid out in SP 800-171. As the NIST SP 800-171 controls are frequently cited in private sector agreements as minimal requirements for vendors that process, store, or transmit an organizations’ data, the proposed controls will likely spread into other industries and impact vendors regardless of whether they contract with the government.

What Do the New Requirements of SP 800-171B Entail?

The new requirements in NIST 800-171B are meant to supplement (as opposed to take the place of) SP 800-171 and set a substantially higher bar for minimum security practices in applicable organizations as compared SP 800-171 more generally. Specifically, SP 800-171B adds 32 enhanced security requirements to the 110 security controls listed in SP 800-171, focusing on three main components: (1) a penetration resistant architecture; (2) damage limiting operations; and (3) designing systems for cyber resiliency and survivability. For example, NIST 800-171B adds the following three requirements to the existing controls related to access of CUI (further limiting access rights): (1) employ dual authorization to execute critical or sensitive system and organizational operations; (2) restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization; and (3) employ secure information transfer solutions to control information flows between security domains on connected systems.

For most companies, the enhanced requirements are likely more cost intensive than the general requirements of NIST SP 800-171. One cost intensive example of a new requirement is that organizations must establish and maintain a full-time security operations center and an incident response team that can deploy to any location within 24 hours. The proposal does provide that NIST will allow organizations to contract with third parties to meet these new standards rather than require the organizations to have the capability to meet the standards in-house.

How Will SP 800-171B Impact Organizations?

Per SP 800-171B, organizations will only have to comply with SP 800-171B “when mandated by a federal agency in a contract, grant, or other agreement.” Thus, once SP 800-171B is finalized, organizations should review their agreements to determine if compliance is required. As mentioned above, private sector organizations are likely to increasingly require vendors to meet the heightened requirements for the organization’s own data that the organization deems highly sensitive – especially organizations with large volumes of sensitive data. Accordingly, and regardless of when NIST SP 800-171B is issued in final form, organizations that know they will likely be subject to these new requirements should begin thinking about how to implement them. Some of these requirements will require new technologies, trainings, and employees, so the sooner each organization creates an implementation plan and strategy, the smoother and more cost efficient the implementation will be.

How Can You Comment on These Proposals?

Comments should be submitted via email to [email protected] or at https://www.regulations.gov docket NIST-2019-0002.

To learn more about the proposals, or for assistance in providing a comment, contact any of the authors for more information.

*Editor’s Note: Date updated on July 10, 2019.

Disclaimer

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.