FAR 32 CFR 2002 & NIST SP 800-171
What is FAR 32 CFR 2002 and how does it relate to NIST SP 800-171?
FAR 32 CFR 2002 is a Federal Acquisition Regulation that will require all Federal Contractors to improve their Safeguarding of Controlled Unclassified Information (CUI). It defines that federal contractors must be compliant with the NIST Special Publication 800-171.
NIST Special Publication 800-171 is a set of security requirements that may be added or referenced in federal contracts beginning in November 2016. It defines uniform policies and practices across the federal government and throughout all Prime and Sub Contractor companies conducting business with the US Federal Government. Generally, the NIST SP 800-171 requirements are referenced and added to DoD contracts using the DFARS 252.204-7012 regulation or by adding the FAR 32 CFR 2002 clause to non-DoD Federal Contracts.
The requirements recommended for use in this publication are derived from FIPS Publication 200 and the moderate security control baseline in NIST Special Publication 800-53 and are based on the CUI regulation (32 CFR Part 2002, Controlled Unclassified Information). The requirements and security controls have been determined over time to provide the necessary protection for federal information and systems that are covered under The Federal Information Security Modernization Act (FISMA) of 2014 requires federal agencies to identify and provide information security protections commensurate with the risk resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by or on behalf of an agency; or information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency. This publication focuses on protecting the confidentiality of Controlled Unclassified Information (CUI) in nonfederal systems and organizations, and recommends specific security requirements to achieve that objective. It does not change the information security requirements set forth in FISMA, nor does it alter the responsibility of federal agencies to comply with the full provisions of the statute, the policies established by OMB, and the supporting security standards and guidelines developed by NIST.
We are a federal contractor, but we don't have any Department of Defense (DoD) contracts. What does FAR 32 CFR 2002 mean to me?
This means your company will almost certainly have to change procedures and policies, likely incurring capital expenditures to replace or upgrade computers, network equipment, applications, email systems and more. We cannot emphasis strongly enough, YOU NEED TO UNDERSTAND THIS IMPACT SOONER, RATHER THAN LATER.
As Sentar has helped DoD Contractors complete their NIST SP800-171 compliance assessments, we have learned that almost every company needed to make capital investments in improving their computer and networking security posture, including email, virus protection, two-factor authentication and more. Companies that learned of these requirements earlier were able to save significant costs by considering these new requirements within their normal asset replacement cycles. Some companies avoided costly mistakes that would have occurred due to uneducated upgrades or equipment replacements with non-compliant solutions. Instead their additional costs were minimized. Firms that must rush to meet compliance under deadline may find themselves replacing expensive, newly purchased ERP, CRM, and other applications due to non-compliance.
What is the best way to reduce the cost of becoming compliant on NIST SP 800-171?
The very best way to reduce the impact to your organization and your costs is to complete your assessment as early as possible. Firms that conduct this assessment in the first half of 2017 will likely have almost two years to plan equipment upgrades and replacements, which is generally 2/3 of most companies' replacement equipment buy cycles.
What other information is available about NIST SP 800-171?
Executive Order 13556, Controlled Unclassified Information, November 4, 2010, establishes that the Controlled Unclassified Information (CUI) Executive Agent designated as the National Archives and Records Administration (NARA), shall develop and issue such directives as are necessary to implement the CUI Program. Consistent with this tasking and with the CUI Program’s mission to establish uniform policies and practices across the federal government, NARA is issuing a final federal regulation in 2016 to establish the required controls and markings for CUI government wide. This federal regulation, once enacted, will bind agencies throughout the executive branch to uniformly apply the standard safeguards, markings, dissemination, and decontrol requirements established by the CUI Program.
With regard to federal information systems, requirements in the federal regulation for protecting CUI at the moderate confidentiality impact level will be based on applicable policies established by OMB and applicable government wide standards and guidelines issued by NIST. The regulation will not create these policies, standards, and guidelines which are already established by OMB and NIST. The regulation will, however, require adherence to the policies and use of the standards and guidelines in a consistent manner throughout the executive branch, thereby reducing current complexity for federal agencies and their non-federal partners, including contractors.
In addition to defining safeguarding requirements for CUI within the federal government, NARA has taken steps to alleviate the potential impact of such requirements on non-federal organizations by jointly developing with NIST, Special Publication 800-171 — and defining security requirements for protecting CUI in non-federal systems and organizations. This approach will help non-federal entities, including contractors, to comply with the security requirements using the systems and practices they already have in place, rather than trying to use government-specific approaches. It will also provide a standardized and uniform set of requirements for all CUI security needs, tailored to non-federal systems, allowing non-federal organizations to be in compliance with statutory and regulatory requirements, and to consistently implement safeguards for the protection of CUI.
Finally, NARA, in its capacity as the CUI Executive Agent, also plans to sponsor in 2017, a single Federal Acquisition Regulation (FAR) clause that will apply the requirements contained in the federal CUI regulation and Special Publication 800-171 to contractors. This will further promote standardization to benefit a substantial number of nonfederal organizations that are attempting to meet the current range and type of contract clauses, where differing requirements and conflicting guidance from federal agencies for the same information gives rise to confusion and inefficiencies.
The CUI FAR clause will also address verification and compliance requirements for the security requirements in NIST Special Publication 800-171. Until the formal process of establishing such a FAR clause takes place, the requirements in NIST Special Publication 800-171 may be referenced in federal contracts consistent with federal law and regulatory requirements. If necessary, Special Publication 800-171 will be updated to remain consistent with the federal CUI regulation and the FAR clause.