On October 18, 2018, the National Institutes for Standards and Technology (NIST) hosted a day-long workshop that featured experts from across the government brought in to educate industry representatives and government agency personnel about the security requirements applicable to Controlled Unclassified Information (CUI).  Below are 4 key highlights impacting Defense Contractors from the NIST CUI Workshop.

Note: To view the workshop presentations, follow the NIST CUI Workshop (10/18/18) resources link:  https://www.nist.gov/news-events/events/2018/10/controlled-unclassified-information-security-requirements-workshop

Another NIST CUI Workshop has been added to the schedule for November 14, 2018.  Follow the link for more info:  https://isoo.blogs.archives.gov/2018/11/

1.     The FAR CUI Clause Will Be Released in 2019.

The highly anticipated FAR CUI clause will give agencies a mechanism to extend the National Archives and Records Administration (NARA) CUI rules to contractors. (They currently apply only to government agencies).  As currently envisioned, the FAR clause will put the burden on the contracting agency, as part of the contracting process, to identify all CUI expected to arise during performance.  This would include not only CUI to be provided by the government, but also CUI to be generated by the contractor.

2.     The Government Will Be Given Responsibility for Assessing Contractor Cybersecurity Compliance “Soon”.

In most instances, contractors are asked to self-certify compliance with the DFARS -7012 clause and 800-171.  Increasingly, however, cybersecurity is becoming a factor in proposal evaluation, leading to program-level reviews of security controls.  Some contracts contain provisions for post-award audits or self-reporting of cybersecurity of compliance.  In addition, the DoD Inspector General has undertaken targeted compliance audits, and the Defense Contract Management Agency (DCMA) has been given some cybersecurity compliance oversight responsibility.  Once the FAR CUI clause is in effect, there will be even more possible assessors of compliance within government.  DoD and NIST personnel indicated that “soon” it is anticipated there will be one “government-wide” assessor of compliance.

3.     A Revision to NIST SP 800-171 Will Add New, “Optional” Requirements.

Revision 2 to the NIST SP 800-171 is likely to be published in March 2019.  The revision will describe more extensive requirements that might be implemented by contractors handling critical defense and infrastructure information – information which, if compromised, could lead to significant damage.  Whereas the current NIST SP 800-171 requirements are designed to establish “adequate security,” the new requirements would add a layer of protection specifically designed to address advanced persistent threats.  Where appropriate, agencies could mandate compliance with the Rev. 2 “optional” requirements.  Even where not mandated, contractors might choose to implement the new requirements as an added element of security.

4.     A Clarification for What Happens After a Contractor Reports a Cybersecurity Incident Via DIBNet.

After a report is made to DIBNet, the DoD cybercrime center (DC3) makes a decision whether or not the information is critical enough that DoD needs more information, which it can request and collect pursuant to 252.204-7012(d)-(g).  In its initial assessment DC3 looks at the information compromised and how it could impact weapons systems or defeat defensive military capabilities.  DC3 also analyses the report to identify cyber threat vectors and adversary trends.  It is important to note that per DFARS 204.7302(d), the mere fact that a cyber incident has occurred and been reported is not, in and of itself, evidence of inadequate security.

InfusionPoints is a Cyber Security Company offering a full array of Build, Manage, and Defend services in the Government, Commercial, and Non-Profit sectors.  For information about our DFARS/NIST SP 800-171 Compliance Support Capabilities and Services, please visit infusionpoints.com/solutions/dfars-cmmc