Handling CUI With Non-Federal Entities

login-logo.pngThought leadership contributed by Jimmy Buddenberg, Cybersecurity and Risk Advisory Practice Leader, Elliott Davis

As technology advances at an expedient pace, the federal government has continued to rely on the expertise of contractors to complete its missions. The use of contract labor has proved to be cost and time effective. The threat is often that these federal contractors are processing, storing, and transmitting sensitive data to meet the requests of the federal government. These contractors are not part of the federal government and do not fall directly under the cybersecurity practices of a normal federal entity. To cover this gap, the National Institute of Standards and Technology (NIST) developed the Special Publication (SP) 800-171. 

What is NIST?
For those who have never worked in the federal space, NIST may seem foreign. So what is NIST? NIST is a government organization that was established in 1901 to promote innovation and industrial competiveness.  While the organization works within the science and technology realm, for cybersecurity, NIST researches and develops the standards and guidelines that are used by the federal government to secure their information systems. They work within all aspects of cybersecurity, addressing standards and best practices.    

While NIST’s focus is providing guidelines for US Federal information systems and data, the standards are commonly referred to outside of the federal spectrum by security professionals. The NIST standards are often used as guidelines and best practices in both the private and public sectors within the United States and internationally.   

What is CUI?
As previously noted, the federal government has been outsourcing to non-federal entities to complete its missions. It saves time and money to do so. These non-government entities were often processing, storing, and transmitting sensitive unclassified information. Since the information was unclassified, it really did not have the protection and control requirements that classified information would have, but some of it is still sensitive. In 2010 an executive order was signed declaring this unclassified sensitive information as Controlled Unclassified Information (CUI), requiring it to be protected and controlled. The 800-171 standard was developed for organizations to use as a framework to protect CUI that they may have on their networks when performing work for the federal government.

To who and what does (SP) 800-171 apply?
There are 24 categories and 83 subcategories of CUI. For example, in the tax category, federal taxpayer information is considered CUI and must be protected. In the privacy category, death records and health information are CUI. Organizations that work with the Federal Government often have data within the CUI categories present. The NIST (SP) 800-171 is the guide for these non-federal entities and is used to enhance the security posture of the organization and help protect this data.

There are also some sectors of the federal government that require the organizations that are working with the Federal Government to be compliant with the (SP) 800-171. For example, to do business with the Department of Defense (DoD) an organization must meet the requirements of the Defense Federal Acquisition Regulation Supplement (DFARS), which point to the (SP) 800-171 as a minimum security requirement. The organization’s compliance is part of the contracting process and must be met. 

It is very important for non-federal entities to be aware of the requirements when doing business with the federal government. While some contracts with an organization may suggest a contractor meet the requirements of the (SP) 800-171, some require it. 

Compliance with NIST 800-171
Even though there is no audit associated with (SP) 800-171, some federal entities may require contractors to submit their System Security Plan (SSP) and Plans of Action & Milestones (POA&M) against the NIST criteria. A documented SSP and POA&M are required as part of the (SP) 800-171 standard and failing to produce them would indicate non-compliance. Significant penalties could result from contractors acknowledging compliance with the NIST standards and then suffering from a loss or breach of CUI.