CSIAC

Cyber Security and Information Systems Information Analysis Center

Reply To: Must an organization meet all CUI and related control enhancements in 800-171

Home Forums Groups Forums Knowledge Management & Information Sharing Protecting Controlled Unclassified Information Must an organization meet all CUI and related control enhancements in 800-171 Reply To: Must an organization meet all CUI and related control enhancements in 800-171

2016-08-26 at 11:46 #6999

wkastorff
Participant

Disclaimer: This is not an official response from SRC Inc. it is an informal peer response and is to provide guidance. Please work closely with your corporate contracting officer and your government contracting office to clarify any contracting or specific NIST SP 800-171 security requirement satisfaction expectations.

This is a great question and could be considered a point of controversy for many of the derived requirements based upon NIST SP 800-53. I am sorry to say that I am unable to locate Table 1 in DFARS 252.204-7012 based upon my web based searches and my personal reference files. I am going to provide background information than answer your question.

The first difficulty with satisfying the contractual requirements described in DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting is deciphering what is a contractual requirement and how the DFARS communicates to the contractor their reporting requirement to the DOD CIO. Paragraph “(b)(ii)(A)” describes this requirement and describes (indirectly) that NIST SP 800-171 security requirements are a contractual requirement for DOD contractors. Ref: http://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012

It is important we recognize that NIST SP 800-171 provides the specific security requirements for protecting controlled unclassified information in nonfederal information systems. NIST SP 800-53 is a reference document that was used to create the derived security requirements in NIST SP 800-171. NIST 800-53 is not the directive document for nonfederal information systems protecting CUI. The cross references in Appendix D and E in 800-171 are there to “promote a better understanding” of derived security requirements. Ref: NIST SP 800-171, Page 6, Chapter 2.2

Therefore a nonfederal information system protecting CUI is not required to conform to any NIST SP 800-53 security controls or control enhancements. You are under contract to satisfy the NIST SP 800-171 security requirements including the derived security requirements. NOTE: This is subject to change, based upon the actual wording of your contract with the government or formal direction received from your firm’s contracting officer.

I believe this should answer your question. If you have any further questions our team is available to assist you!

Thank you for using the CSIAC Protecting Controlled Unclassified Information forum. We look forward to additional questions.

Respectfully

Wade Kastorff
Director, Commercial Security Services, SRC Inc.
wkastorff@srcinc.com
http://www.srcinc.com