Home › Forums › Groups Forums › Knowledge Management & Information Sharing › Protecting Controlled Unclassified Information › Must an organization meet all CUI and related control enhancements in 800-171
2016-08-16 at 13:31 #6892
As an example in 252.204-7012 Safeguarding Unclassified Controlled Technical Information, Table 1 notes AC-17(2) as one of the base line controls, in document 800-171 page D-2 appendix D under 3.1 Access Control in the NIST SP 800-53 Relevant Security Controls column it notes AC-17 Remote Access. In the Document 800-53 for AC-17 it lists the control and also 9 additional control enhancements. By noting AC-17 instead of AC-17(2) in the 800-171 is it requiring you to meet control + all control enhancements?
2016-08-26 at 11:46 #6999
Disclaimer: This is not an official response from SRC Inc. it is an informal peer response and is to provide guidance. Please work closely with your corporate contracting officer and your government contracting office to clarify any contracting or specific NIST SP 800-171 security requirement satisfaction expectations.
This is a great question and could be considered a point of controversy for many of the derived requirements based upon NIST SP 800-53. I am sorry to say that I am unable to locate Table 1 in DFARS 252.204-7012 based upon my web based searches and my personal reference files. I am going to provide background information than answer your question.
The first difficulty with satisfying the contractual requirements described in DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting is deciphering what is a contractual requirement and how the DFARS communicates to the contractor their reporting requirement to the DOD CIO. Paragraph “(b)(ii)(A)” describes this requirement and describes (indirectly) that NIST SP 800-171 security requirements are a contractual requirement for DOD contractors. Ref: http://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012
It is important we recognize that NIST SP 800-171 provides the specific security requirements for protecting controlled unclassified information in nonfederal information systems. NIST SP 800-53 is a reference document that was used to create the derived security requirements in NIST SP 800-171. NIST 800-53 is not the directive document for nonfederal information systems protecting CUI. The cross references in Appendix D and E in 800-171 are there to “promote a better understanding” of derived security requirements. Ref: NIST SP 800-171, Page 6, Chapter 2.2
Therefore a nonfederal information system protecting CUI is not required to conform to any NIST SP 800-53 security controls or control enhancements. You are under contract to satisfy the NIST SP 800-171 security requirements including the derived security requirements. NOTE: This is subject to change, based upon the actual wording of your contract with the government or formal direction received from your firm’s contracting officer.
I believe this should answer your question. If you have any further questions our team is available to assist you!
Thank you for using the CSIAC Protecting Controlled Unclassified Information forum. We look forward to additional questions.
2017-02-22 at 15:58 #8891
Thank you that clears up my question
You must be logged in to reply to this topic.