Home › Forums › Groups Forums › Knowledge Management & Information Sharing › Protecting Controlled Unclassified Information › Revision of NIST SP 800-171 – Ask Your Questions Now › Reply To: Revision of NIST SP 800-171 – Ask Your Questions Now
From a Software As A Service (SAAS) solution perspective there are contractual (DFARS) requirements that go hand-in-hand with 800-171. We recommend you review your contractual requirements with your firms contracting officer and the government program office to discover if you are authorized to use SAAS as your solution to protect CUI. From there you will move onto the DFARS requirements.
The first is Subpart 204.73 http://www.acq.osd.mil/dpap/dars/dfars/html/current/204_73.htm This provision guides you to many of the other contractual requirements, whether you’re a sub-contractor or prime, that your firm is responsible for. In addition, we would like to point out the cloud services DFARS; The use of cloud services is described in DFARS 252.239.7010 http://www.acq.osd.mil/dpap/dars/dfars/html/current/252239.htm#252.239-7010 and other locations. Unfortunately, simply using NIST 800-171 Revision 1 is not the only set of requirements when it comes to protecting CUI and other sensitive government information. Another example if your organization is protecting ITAR information, that opens another painful set of State Department regulations.
We appreciate your question concerning Teamviewer and software of that nature. We are not in a position to recommend the use of specific forms of software to protect CUI. However, I would recommend that you ask your government program office about their opinion on the use of Foreign Controlled and Influenced (FOCI) companies that are producing security applications.
We are basing our answers on how you have described your information technologies. It is your responsibility to go through each requirement and decide if that requirement applies or not. The purpose of this exercise is to complete your POA&M and SSP. A set of documents which get turned into the DoD CIO and your DoD contracting officer with the descriptions of how your firm is satisfying the requirements, showing your work off plan, or giving the explanation of why your firm is not fulfilling the requirement.