All DoD contractors that work with CUI must perform a self-assessment for compliance with NIST SP 800-171. Learn what the assessment process entails.
Controlled Unclassified Information (CUI) is now under deep scrutiny for the Department of Defence (DoD) and its nonfederal contractors. The DFARS 252.204-7012 clause and the subsequent DFARS 252.204-7021 and DFARS Case 2019-D041 have already created a reliable framework for safeguarding the CUI. As for now, all DoD contractors that process, store, and/or transmit CUI and want to be eligible for any contract award must perform a self-assessment (or basic assessment) for compliance with NIST SP 800-171. The reasons for organizations to conduct the self-assessment we already provided in our previous post, and now it is time to outline the main aspects of the NIST SP 800-171 self-assessment.
DFARS 252.204-7012 obligates organizations to protect CUI by providing “adequate” protective measures commensurate with the consequences and probability of loss, misuse, unauthorized access to, or modification of information. The “adequate” measures entail compliance with NIST SP 800-171 on all “Covered Contractor Information Systems” (CCIS) – an unclassified information system that is owned/operated by or for a contractor and that processes, stores, or transmits CUI. Thus, before starting the NIST 800-171 assessment, organizations first must understand the scope of their compliance requirements.
NIST 800-171 self-assessment should start with identifying CUI sources and flows and mapping them within the organization’s information systems. In this regard, organizations must understand that CUI is an umbrella term encompassing Covered Defence Information (CDI) and Controlled Technical Information (CTI).
Covered Defence Information (CDI) is unclassified uncontrolled technical information or other information described in the CUI Registry.
Controlled Technical Information (CTI) involves technical information with military or space application subjected to controls of access, use, modification, reproduction, performance, display, release, disclosure or dissemination. At the same time, technical information means technical data or computer software, including research and engineering data, engineering drawings, specifications, standards, manuals, technical reports, data sets, and computer software executable code.
Organizations should review their existing contracts before starting the assessment process to ensure that CDI/CTI used in the scope of the contract is clearly defined. If so, the next step is mapping the information within the organization’s environment. If not, this might be the time to update the contract language.
Once all CUI is identified, the organization is ready for scoping the environment. To scope the environment properly, first, determine what systems and processes process, store, or transmit CUI. After that, define details of how data is traversing your network. Finally, identify all systems, applications, and processes that “touch” CUI. To help prevent labeling everything as CUI, refer to Section 3(b) of Executive Order 13556, “if there is significant doubt about whether information should be designated as CUI, it shall not be so designated.”
NIST 800-171 assessment methodology has some similarities to the Payment Card Industry Data Security Standard (PCI DSS) compliance. From the PCI DSS’s perspective, a poorly done scoping may result in situations when the company’s entire network is defined as a Cardholder Data Environment (CDE), which requires applying PCI DSS requirements throughout the whole company. Such a scenario may make the compliance efforts time- and resource-consuming or even technically impossible. Alternatively, the appropriate scoping of CUI may discover that only a small fraction of the company’s network holds CUI. Thus, the intelligible scoping makes the assessment more cost- and time-effective.
The assessment procedure for all the compliance requirements is described in detail in NIST SP 800-171A. Generally, a self-assessment is performed according to the assessment objectives and by applying a set of assessment methods and objects.
Assessment objectives include determination statements related to a particular CUI security requirement.
For instance, to properly assess the security requirement 3.1.1. “Limit system access to authorized users” (Figure 1), the organization first must determine if authorized users and processes acting on their behalf are identified, if the devices authorized to connect to the system are available, and if system access is appropriately limited.
Assessment objects identify the specific items that come under assessment. The assessment objects generally include:
Assessment methods define the nature and the extent of the assessor’s actions and include:
The above methods are applied to facilitate understanding, obtain evidence, get clarifications, and, thereby, achieve the objectives for the assessment procedure.
The example of the security requirement 3.1.1. “Limit system access to authorized users” may help better understand the relations between methods and objectives. Methods are logically divided among the assessment objects (Figure 1) and look as follows:
Finally, the organization’s processes for managing system accounts or mechanisms for implementing account management may be assessed with the help of testing.
Organizations are not expected to employ all assessment methods and objects identified in NIST SP 800-171A. Instead, they have the flexibility to determine which assessment methods and objects are the most useful in obtaining the desired results. This determination is made based on how the organization can accomplish the assessment objectives in the most cost-effective manner and with sufficient confidence to determine that the compliance requirements have been satisfied.
Thus, relying on CUI identification and scoping, organizations can construct assessment plans to select the specific assessment methods and objects that meet the organization’s needs.
One of the main prerequisites for a successful NIST 800-171 assessment is the availability of the System Security Plan (SSP). SSP is a document that outlines how an organization’s system security requirements are met or planned to be met. The plan describes the system boundary; the environment in which the system operates; how the security requirements are implemented; and the relationships with or connections to other systems. SSP also contains information on any security requirements deemed non-applicable by the organization (e.g., no wireless capability in the system or the system component processing, storing, or transmitting CUI). Requirements that are deemed non-applicable in the system security plan are not assessed. Although no prescribed SSP format exists, NIST has developed an example SSP template available as MS Word documents on the SP 800-171A publication page.
Once the system security plan is completed, the organization can develop an assessment plan including timeframe and objectives for the assessment.
To ensure proper protection for CUI, organizations should try to implement the CUI security requirements to the fullest extent. However, when some of the security requirements are only partially applicable or not implemented, a Plan of Actions & Milestones (POA&M) must be developed. For instance, some organizations may not afford expensive software licenses or have other limitations for applying some requirements. The POA&M allows organizations to document the tasks necessary to resolve their security program’s deficiencies, along with the resources and timelines required to do it. The primary purpose of the POA&M is to assist in identifying, assessing, prioritizing, and monitoring the progress of corrective efforts for security weaknesses, getting the organization closer to the desired assessment score. POA&M is required by security requirement 3.12.2 “Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. A general POA&M template is also available on the SP 800-171A publication page.
NIST SP 800-171 self-assessment results in a certain score that reflects the net effect of security requirements not yet implemented. Organizations must report their score, alongside general assessment information, to the Supplier Performance Risk System (SPRS). Providing storage and access to the NIST SP 800-171 assessment information, SPRS contains the NIST SP 800-171 self-assessment date, score, and plan of action completion date identified by the Commercial and Government Entity (CAGE) code. SPRS allows access to the organization’s data to manage their basic assessment scores.
NIST SP 800-171 self-assessment is now the core requirement for those non-federal contractors who work with CUI and want to be eligible for any DoD contract award. The assessment procedure starts from identifying CUI as it pertains to the organization’s information systems and processes while ends with reporting the assessment results to the SPRS. The self-assessment demands contractors to clearly understand their information system environments, CUI flows, and how their system security requirements are met (or planned to be met). However, it is also important to note that CUI protection is a never-ending process, and the NIST assessment is only a milestone on the way to securing CUI.
For more detailed information about the NIST assessment and the related procedures, please, keep reading our blog or consult the Planet 9 team. We’ll be happy to assist: