Pursuant to DFARS 252.204-7012, DoD contractors are to implement the security requirements in NIST Special Publication (SP) 800-171 by December 31, 2017. NIST SP 800-171 includes security requirements for protecting Controlled Unclassified Information (CUI) in nonfederal systems and is expected soon to be required under civilian agency contracts through a forthcoming FAR case. On November 28, 2017, NIST released its highly-anticipated draft publication, NIST SP 800-171A on “Assessing Security Requirements for Controlled Unclassified Information.” Like NIST SP 800-53A, which provides assessment procedures related to the requirements in NIST SP 800-53 (containing security requirements for federal systems), the draft publication will “help organizations develop assessment plans and conduct efficient, effective, and cost-effective assessments of the security requirements in Special Publication 800-171.” The draft special publication includes assessment procedures relating to each of the security requirements in the fourteen families included in NIST SP 800-171 and describes methods by which companies can “generate evidence to support the assertion that the security requirements have been satisfied.” Thus, it appears an organization that conducts the suggested assessments in the draft publication and generates supporting documentation can present this to its agency customer as proof of compliance with NIST SP 800-171 (of course, this is subject to any agency-specific clauses or demands relating to safeguarding CUI).
The draft publication includes appendices with tables mapping the requirements in NIST SP 800-171 to the requirements in NIST SP 800-53 and ISO/IEC 27001 as well as other guidance for implementing the CUI requirements. It also renews the promise included in the National Archives and Records Administration (NARA) final rule on CUI released in November 2016 that a FAR case requiring contractor compliance with NIST SP 800-171 in all contracts involving CUI is imminent. (“The CUI Executive Agent is actively engaged in the process of developing a FAR clause that will apply the requirements of the federal CUI regulation and NIST Special Publication 800-171 to contractors.”) NIST encourages feedback on the assessment procedures included in the draft publication. Comments are due by December 27, 2017. A copy of the draft publication and related comment template are available here.