Unauthorized access and disclosure of government information has become all too common in these times of frequent cyber-attacks. As a result, the government has extended mandatory safeguards to non-federal organizations that process, store or transmit Controlled Unclassified Information (CUI) or Covered Defense Information in non-federal information systems. These non-federal organizations include contractors, subcontractors and service providers. Additionally, CUI is often provided to, or shared with, state and local governments, colleges and universities, and independent research organizations. To comply with CUI requirements, government contractor and other organizations processing CUI must fully understand what CUI they store, process, or transmit in the course of doing business with the federal government. In many cases, they must also be compliant with NIST 800-171.
Government contractor organizations must be prepared to provide adequate documentation describing their technical solutions, policies, and evidence of being able to detect and respond to incidents. safeguards, as defined by NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, which currently includes fourteen families of security requirements and a total of 109 individual controls. The CUI requirements within NIST SP 800-171 are directly linked to the baseline controls described in NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, and are intended for use by federal agencies in contracts or other agreements established between those agencies and non-federal organizations. TestPros provides a full range of NIST SP 800-171 Compliance Services to help you establish the necessary controls, and build the documentation the Government requires.
If you are a contractor providing services to the U.S. federal government, your organization is responsible for protecting Controlled Unclassified Information (CUI). For Department of Defense contractors, DFAR 252.204-7012 & 252.204-7008 require that you implement the safeguards defined by NIST SP 800-171 over these materials by December 31, 2017. Prior to the deadline, DoD contractors must report any NIST SP 800-171 requirements not implemented, within 30 days of contract award.
While no equivalent FAR regulations are currently in place that map to the DFAR requirements, there are Executive Orders that mandate compliance for all government agencies. CUI requirements are based on Executive Order (EO) 13556 of November 4, 2010. And 32 CFR Part 2002, Controlled Unclassified Information (CUI) in effect November 14, 2017, and supported by “CUI Notice 2016-01: Implementation Guidance for the CUI Program,” which was issued by NARA September 14, 2016 (“Day-0”). Per that guidance, agencies must be at an Initial Operating Capability (IOC) one year after Day-0 to be compliant, and be at Full Operating Capability (FOC) three years after Day-0 (September 14, 2019) to be compliant. It is only a matter of time before non-DoD agencies pass along the same CUI handling requirements to their contractors.
Regardless of the legal or statutory requirement, it makes good business sense to implement the security steps defined by NIST SP 800-171!
TestPros provides independent assessment and advisory consultation services to meet your NIST SP 800-171 Compliance needs, addressing the current 14 families of security requirements and total of 109 controls.
As illustrated in the figure above, our Assessment Services include audits and compliance assessments against the NIST 800-171 standard, after which we advise on security program enhancements and control implementation where gaps are identified. Our approach is pragmatic – where possible, we identify ways to reduce the scope of our client’s effort. For example, in lieu of hardening client-hosted servers and networks, it is often more expeditious and cost effective to isolate CUI data on FedRAMP-certified, cloud-based servers.
For each of the NIST 800-171 control objectives, TestPros delivers the following audit / assessment services and documentation:
- Identify applicable compliance guidance
- Determine if Group Policies (Active Directory or other LDAP), other Policies and Standards, Documented Processes and SOPs are in place
- Identify related technology considerations
- Document compliance Status
- Justify any deviation from standard (pre-implementation only)
- Note any clarifying information, for example, reference to duplicate controls
Once we have helped our client identify their requirements, TestPros is available to help you create NIST 800-171 required documentation sets, including a System Security Plan (SSP) that documents how you protect and ensure control of CUI and any additional guidance based on client or agency requirements. We develop supporting compliance programs, including cost-effective alternative approaches, to implement and maintain (continuous monitoring) the required controls for transmitting or storing this data in non-federal information systems. We work from either existing client or TestPros-provided templates to accelerate the process.
How can TestPros help?
TestPros understands that NIST 800-171 compliance is based on the premise that Software, Hardware and Document accessibility is part of each IT requirement and should be addressed up front as part of the system development life cycle. We offer NIST 800-171 gap analysis, compliance support, program support, and training services to assist your organization safeguard it’s networks and become compliant!