The new CUI FAR will not be published until the beginning of FY ’19, but begin working on your plans now to get ahead of your competition!

Defense contractors are already on the hook for meeting NIST SP 800-171!

The federal government has responded to concerns over a growing number of cyber threats by pushing out more cybersecurity regulations. These regulations point to NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations as the primary standard that nonfederal entities should strive to meet. Currently, the only government agency requiring that contractors follow NIST SP 800-171 standards is the Department of Defense through their Defense Federal Acquisition Regulation Supplement (DFARS) subpart 204.73 and 252.204-7008 (read more here), but soon it will be expected of all executive agency contractors that handle CUI. Other agencies, like GSA and DHS, are in the process of developing cybersecurity rules similar to those found in the DFARS , but most are waiting until the National Archives and Records Administration (NARA) publishes a new Federal Acquisition Regulation (FAR) rule that lays out a policy for how all executive agencies and their contractors should handle Controlled Unclassified Information.

The primary issue to note is that it is only a matter of time before all contractors will need to meet the standards laid out in NIST SP 800-171. The most important items within the document are the System Security Plan (SSP) and Plans of Action. It will be required that contractors have these plans, and the government may request them at any point during the execution of a contract. Furthermore, agencies may require them with the submission of a contract proposal or they may be used as evaluation criteria for awarding contracts. Those contractors who demonstrate their compliance with those plans may drastically set themselves apart from their competitors. Even if your contract doesn’t appear to have CUI designated in it, there is a chance your company could create it during the execution of the contract, so it is important to check your contract for these clauses.

Clauses to look for in contracts:

  • DFARS Subpart 204.73 requires the inclusion of DFARS Subpart 252.204-7008 in contracts
  • DFARS Subpart 252.204-7008 requires a contractor to meet NIST SP 800-171 standards if they handle CUI
  • DFARS Subpart 252.204-7012 requires specific cloud service providers (CSPs) be used if a contractor stores or transmits CUI to a cloud service and also has specific incident tracking and reporting requirements

The new CUI FAR will not be published until the beginning of FY ’19, but begin working on your plans now to get ahead of your competition!

Defense contractors are already on the hook for meeting NIST SP 800-171!