While the departments of Defense and Homeland Security continue to muddle through developing new acquisition regulations for how contractors should protect controlled unclassified information, agencies and companies are getting their first look at new governmentwide guidance.
The National Institute of Standards and Technology’s new draft update to Special Publication 800-171, Revision 3 takes into account a year’s worth of comments and data collection to make significant changes to the requirements.
“This update to NIST SP 800-171 represents over one year of data collection, technical analyses, customer interaction, redesign and development of the security requirements and supporting information for the protection of controlled unclassified information (CUI),” NIST wrote in its release of the draft guidance Wednesday. “Many trade-offs have been made to ensure that the technical and non-technical requirements have been stated clearly and concisely while also recognizing the specific needs of both federal and nonfederal organizations.”
SP 800-171 serves as the cornerstone for how agencies and vendors protect federal data on non-federal systems or organizations when that company is not collecting or maintaining the data.
“The security requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations,” NIST wrote.
NIST plans to hold a webinar on the new draft guidance on June 6.
Comments on revision three are due by July 14.
Harmonizing security guidance
Among the major changes to revision 3 are changes to the security requirements based on NIST SP 800-53, Revision 5, the cybersecurity and privacy controls guidance and SP 800-53B, the moderate control baseline. Additionally, NIST introduced the concept of organization-defined parameters (ODP) in selected security requirements to increase flexibility and help organizations better manage risk, and created a prototype CUI overlay which provides a detailed analysis of the tailoring decisions at the control item (or requirement item)-level between SP 800-53 and SP 800-171.
“The public comments received from the request for information indicated that many organizations are overwhelmed with the number of different security and risk management frameworks in use by the public and private sectors. To better align two widely used NIST resources, a strategy has been initiated to transition the security requirements in NIST SP 800-171 to the control language in NIST SP 800-53,” NIST wrote in frequently asked questions released with the draft guidance. “Related to that transition, NIST has developed a prototype CUI overlay. The prototype overlay shows how the NIST SP 800-53B moderate control baseline is tailored at the control and control-item levels to express the security requirements necessary for the protection of CUI from unauthorized disclosure.”
Additionally, NIST says ODPs, once defined, could become part of the security requirement and can be assessed.
“ODPs also help simplify assessments by providing greater specificity to the requirements being assessed and reducing ambiguity and inconsistent interpretation by assessors. Federal agencies can elect to specify ODPs, provide guidance on selecting ODPs for nonfederal agencies, or allow nonfederal agencies to self-select ODP values,” NIST wrote in the FAQs.
DoD is using the basis of SP 800-171 as it develops the Cybersecurity Maturity Model Certification program. It has not sent its proposed rule to the Office of Information and Regulatory Affairs (OIRA) for consideration yet. DoD says the rulemaking process could take up to two years and will implement the final requirements over a five-year period.
DHS rule close to final
DHS in August 2022 developed a rule to add to its Homeland Security Acquisition Regulation (HSAR) to “implement security and privacy measures to ensure CUI, such as Personally Identifiable Information (PII), is adequately safeguarded by DHS contractors. Specifically, the rule would define key terms, outline security requirements and inspection provisions for contractor information technology (IT) systems that store, process or transmit CUI, institute incident notification and response procedures, and identify post-incident credit monitoring requirements.”
As of May 2, OIRA completed its review of the final rule and sent it back to the agency for final preparation to publish it. The rule has been in the works since 2017.
In the meantime, DoD is taking another step toward protecting its supply chain, for which protecting information is part of that broader effort, by requiring contracting officers to evaluate vendors through the supplier performance risk system (SPRS).
In the final rule issued March 23, DoD says contracting officers must consider supplier risk as part of its responsibility determination for any procurements at or below the simplified acquisition threshold and for any acquisitions for commercial items and services.
John Tenaglia, the director of Defense Pricing and Contracting, said at the Coalition for Government Procurement conference the final rule is pushing contracting officers to focus more on items that DoD has identified as having more risk associated with them.
“SPRS is a DoD enterprise application that retrieves price, item, quality, delivery, and contractor performance data from government reporting systems. SPRS collects quality and delivery data from government systems to develop risk assessments. The system provides three risk assessments for contracting officer use in evaluations of quotations and offers: an item risk assessment, a price risk assessment, and a supplier risk assessment,” DoD wrote in the final rule.