On November 28, 2017, the National Institute of Standards and Technology (“NIST”) released a draft special publication on “Assessing Security Requirements for Controlled Unclassified Information.” The publication offers guidelines for contractors seeking to comply with the Controlled Unclassified Information (“CUI”) requirements listed in NIST SP 800-171. The guidelines provide a framework for contractors to develop specific procedures to assess their CUI security and compliance with all 110 controls outlined in NIST SP 800-171. The draft guidelines, open for public comment until December 27, 2017, are available here.
Contractors handling CUI under Department of Defense contracts are required to comply with NIST SP 800-171 by December 31, 2017. See DFARS 252.204-7012(b)(2)(ii)(A). On September 21, 2017, the Department of Defense issued guidance in anticipation of the December 31, 2017 deadline, explaining that “[t]o document implementation of the NIST SP 800-171 security requirements by the December 31, 2017, implementation deadline, companies should have a system security plan in place, in addition to any associated plans of action to describe how and when any unimplemented security requirements will be met, how any planned mitigations will be implemented, and how and when they will correct deficiencies and reduce or eliminate vulnerabilities in the systems.” DoD Guidance on Implementation of DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting at p. 3, available here.