The federal government, much like many civilian sector businesses, relies heavily on digital record keeping and file storage. For this reason, cybersecurity and the protection of sensitive data stored on government servers and hardware is paramount. Because of the involvement of the federal government, the importance of cybersecurity is greatly amplified. In order to safeguard Controlled Unclassified Information (CUI), the National Institute of Standards and Technology (NIST) developed Special Publication 800-171. The goal of NIST is “creating a national culture of cybersecurity that protects the information of our businesses, citizens, and government.”
There are 14 categories and dozens of requirements that NIST SP 800-171 outlines, all of which fall into two broad categories: administrative and technical. On a high-level overview, administrative requirements instruct contractors and individuals that handle CUI must review/read reports and procedures, and report any and all vulnerabilities or incidents. In addition, audited events must be reviewed on an annual basis. Technical requirements include, but are not limited to monitoring data, preventing a breach of security, warning an organization of potential threats, reports being generated, limiting access, and implementing rigorous digital security.
The 14 categories of NIST SP 800-171:
The draft of Revision 2 does not make any changes to the security requirements, but serves to increase usability as the Discussion section was moved from Appendix F to “Chapter Three to coincide with the basic and derived security requirements.” Draft NIST SP 800-171B is a supplemental document that provides additional guidelines for the protection of Controlled Unclassified Information (CUI) that is stored in a system that may have a “higher-than-usual risk of exposure.” An all too common occurrence in recent years has been an increase of the sophistication of cyber-attacks. High value assets (HVA) and critical programs that contain CUI have become a target for hackers, creating an advanced persistent threat (APT). The continued barrage of cyberattacks on HVAs and critical programs in recent years led to the Department of Defense requesting additional guidance from NIST. “The enhanced security requirements apply only to components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components when the designated CUI is contained in a critical program or HVA.”
As adversaries and cyber-attacks continue to increase in sophistication, it is imperative that the federal government continue to increase cybersecurity and that regulations currently in place continue to evolve. It is essential that contractors maintain compliance with NIST SP 800-171 to ensure that all Controlled Unclassified Information remain secure.