NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations and DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting.
The Department of Defense (DoD) has long been focused on protecting Controlled Unclassified Information (CUI) for nonfederal information systems. The protection of such information while residing in these information systems and organizations is of paramount importance to federal agencies. If not done correctly it could severely impact the ability of the federal government to successfully carry out its missions and operations. In 2010, the White House issued Executive Order 13556 Controlled Unclassified Information which established an open and uniform program across Civilian and Defense agencies to manage CUI, requiring the safeguarding or dissemination controls pursuant to and consistent with law, regulation, and Government-wide policies.
The scope of this requirement is limited to non-federal information systems that store CUI, which includes any information related to ‘the performance of the contract” that DoD provides to the contractor or that which the contractor accumulates in support of the contract. It also includes sensitive information that impacts privacy and security concerns, contains proprietary business interests, and is critical in law enforcement investigations.
NIST SP 800-171 and DFARS 252.204-7012
NIST SP 800-171 outlines the basic safeguarding requirements that applicable contractors and subcontractors must implement. DFARS 252.204-7012 directed contractors to implement the NIST Requirements by December 31, 2017.
Contractors must now fully understand what CUI they store, process, or transmit in the course of doing business with the DoD and be prepared to provide adequate security using controls in NIST SP 800-171. A company must also be able to detect and respond to incidents.
All prime and subcontractors doing business with the DoD, even if you don’t think you have CUI, must document an exception and may still need to comply with portions of NIST SP 800-171. This is a flow-down clause, and specifically applies to subcontractors as well as primes. Subcontractors must report incidents to both the prime and directly to DoD.
How SecureStrux Can Help
We understand that your company’s time is extremely valuable. SecureStrux’s CUI assessment methodology was developed to ensure timely and efficient assessments. Whether your company is currently working with a federal agency or pursuing federal contracts, SecureStrux’s CUI assessment report demonstrates your company’s compliance with NIST 800-171. As a comprehensive information security standard, the results of this report also demonstrate to your company’s non-federal customers and prospects that your organization has a strong system of internal controls in place at your company.
SecureStrux – Knowledgeable Specialists in CUI and DFARS Compliance and Auditing
SecureStrux’s proven steps to bring your firm into DFARS and CUI compliance will ensure you meet the critical deadline of December 31, 2017. Contact us today to learn more about our service offering and decide if it’s right for you. We welcome the opportunity to get you prepared.