The U.S. government is increasingly outsourcing more and more projects to private-sector contractors. In 2017, federal agencies doled out $510 billion in contracts to private-sector contractors—an increase from $470 billion the previous year. Over the course of these projects, contractors will find themselves working with sensitive—albeit unclassified—government agency data. Simply storing this information at rest on your systems won’t be enough; you must also take steps to protect it from being released to the public. While contractors should reach out to agencies to learn more about their policies and procedures, all contractors—especially Department of Defense contractors—must comply with NIST 800-171.
NIST 800-171 is published by the National Institute of Standards and Technology, and addresses what private-sector contractors must do in order to properly secure Controlled Unclassified Information (CUI). CUI is a security clearance classification category established during the Obama administration for certain types of unclassified, nonpublic federal data. Information marked as CUI will require additional dissemination controls and safeguards to protect it from unauthorized access and disclosure. Contractors can review full list of applicable UCI at the U.S. National Archives’ UCI Registry.
Under NIST 800-171, companies are required to follow a detailed set of fourteen data, physical, and server security standards to secure any federal CUI they receive from agencies over the course of government projects. These requirements are wide-ranging, and require organizations to address such areas as:
- Access Control
- Audits and Accountability
- Authentication and Identification
- Awareness and Training
- Configuration Management
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessments
- Security Assessments
- System and Information Integrity
- Systems and Communications Protection
Broadly speaking, all contractors should be incorporating encryption and cryptographic safeguards when securing data access channels, implementing multifactor authentication and user verification methods, taking protective steps to secure federal CUI in paper and digital mediums, and incorporating robust physical and server security procedures to protect access to federal CUI at rest and in transit. Contractors will also need to create and implement a systems security plan that shows agencies how they plan to achieve and maintain compliance with these fourteen factors and provides additional information about their IT environment and connected information systems. They’re also required to document how they plan to address any shortcomings in their current systems that would prevent them from achieving NIST 800-171 compliance. You can learn more about these requirements in the NIST 800-171 publication.
Failure to follow NIST 800-171 will compromise your ability to attract new projects with other federal agencies—especially with the Department of Defense. Under DFARS—which now mandates NIST 800-171 compliance—non-compliant organizations could be liable for contractual, civil, administrative, and criminal damages in law and equity[PE1] . Moving your software and data to the cloud can help you avoid this predicament. With Abacus Private Cloud, you can leverage key protections such as 2FA, NIST-compliant information handling and data security protocols, 256-bit AES encryption, and layers of physical, server, and data security when running your software and accessing your data. Our SSL-A-rated U.S. server network, dedicated IP addresses, and encrypted device channels will allow you to safely work with federal CUI anywhere on any device.