Back in June 2015 the National Institute of Standards and Technology (NIST) published SP 800-171, for Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. The catchy acronym CUI is used to describe the information.
The intent of the standard is to ensure that:
- Statutory and regulatory requirements for the protection of CUI are consistent wherever CUI exists
- Safeguards are consistent in both federal and non-federal information systems and organizations
- The confidentiality impact value for CUI is no lower than moderate
They define fourteen ‘families’ of security requirements for protecting CUI in nonfederal information systems and organizations. Non-federal organizations can implement a variety of potential security solutions either directly or through the use of managed services.
This standard became mandatory as of 31 December 2017 for all defense suppliers that receive a contract or subcontract subject to the new requirements. What this means is that it becomes a part of the DFAR contract requirement that suppliers will have to meet.
There are provisions that allow organizations to self-certify compliance rather than introducing a formal certification regime. But there is a sting in the tail that in the event of non-compliance being discovered, apart from contract termination there may be actions for criminal fraud and breach of contract.