On June 19, 2015, the National Institute of Standards and Technology (“NIST”) published the final version of guidance for federal agencies to ensure sensitive information remains confidential when stored outside of federal systems.

1. ALERT: NIST Issues Final Guidance on Federal
Contractor Cybersecurity Standards for
Controlled Unclassified Information
By Alexander Major on June 23, 2015
Posted in Cybersecurity, National Institute of Standards and Technology (NIST)
On June 19, 2015, the National Institute of Standards and Technology (“NIST”) published the final
version of guidance for federal agencies to ensure sensitive information remains confidential when
stored outside of federal systems. The guidelines, Special Publication 800-171, Protecting Controlled
Unclassified Information in Nonfederal Information Systems and Organizations, apply to nonfederal
information systems and organizations that process, store, or transmit federal controlled unclassified
information, or “CUI,” and match the guidelines published for public comment last fall. The new
guidance is step two in a three-part plan with the National Archives and Records Administration
(“NARA”), discussed in last month’s blog, to ensure the confidentiality of sensitive federal information
no matter where it is stored. As data breaches continue to make near-daily news, federal contractors not
using the “recommendations” laid out in SP 800-171 would be wise to take another look, as they contain,
more than ever, the Government’s express expectations of how it wants its information protected.
Built upon existing computer security requirements for federal information systems, Federal
Information Processing Standard (“FIPS”) 200 and the Security and Privacy Controls for Federal
Information Systems and Organizations (NIST SP 800-53), the final guidelines are designed to assist
federal agencies in the negotiation of information system contracts and agreements where CUI will be
stored and processed outside of the Federal Government, including federal contractors; state, local and
tribal governments; as well as colleges and universities.

2. As reflected in its past iteration, the final NIST guidance identifies 14 groupings of security requirements
for protecting the confidentiality of CUI on nonfederal systems, including:
1. ACCESS CONTROL: Limit information system access to authorized users.
2. AWARENESS AND TRAINING: Ensure that managers and users of organizational
information systems are made aware of the security risks and ensure that personnel are
adequately trained.
3. AUDIT AND ACCOUNTABILITY: Create information system audit records to enable the
reporting of unlawful, unauthorized, or inappropriate information system activity; and
ensure that the actions of individual users can be traced to be held accountable for their
actions.
4. CONFIGURATION MANAGEMENT: Establish baseline configurations and inventories of
organizational information systems (including hardware, software, firmware, and
documentation); and establish security configuration settings for technology products.
5. IDENTIFICATION AND AUTHENTICATION: Identify information system users and
authenticate (or verify) the identities of those users as a prerequisite to allowing access.
6. INCIDENT RESPONSE: Establish an operational incident-handling capability for
organizational information systems; and track, document, and report incidents to
appropriate authorities.
7. MAINTENANCE: Perform periodic maintenance on organizational information systems; and
provide effective controls on the tools and personnel used to conduct maintenance.
8. MEDIA PROTECTION: Protect information system media containing CUI, both paper and
digital; and limit access to CUI on information system media to authorized users.
9. PHYSICAL PROTECTION: Limit physical access to organizational information systems,
equipment, and the respective operating environments to authorized individuals.
10. PERSONNEL SECURITY: Screen individuals prior to authorizing access to information
systems containing CUI.
11. RISK ASSESSMENT: Periodically assess the risk to organizational operations, assets, and
individuals.
12. SECURITY ASSESSMENT: Periodically assess the security controls in organizational
information systems to determine if the controls are effective in their application; develop
and implement plans of action designed to correct deficiencies.
13. SYSTEM AND COMMUNICATIONS PROTECTION: Monitor, control, and protect
organizational communications.
14. SYSTEM AND INFORMATION INTEGRITY: Identify, report, and correct information and
information system flaws in a timely manner; and provide protection from malicious code.
None of the requirements is expected to be “one-size-fits-all.” Instead, each recommendation contains a
detailed checklist of flexible requirements that are intended to overlap with contractors’ existing security
processes. To facilitate this process, the guidance’s Appendix D includes methods by which
organizations that have adopted the Federal Government’s Framework for Improving Critical
Infrastructure Cybersecurity may map the finalized CUI security requirements to other known security
standards and controls, such as those in SP 800-53 and ISO/IEC 27001.
Although following the NIST guidance is not yet mandated, per se, it should be remembered that
NARA’s proposed FAR rule, once issued, is expected to require agencies to mandate the SP 800-171
guidance. Contractors should not, therefore, be surprised to find the guidance taking a pivotal role in

3. present contract negotiations where CUI is in play – the writing is, effectively, on the wall. And, if an
agency does not mandate the use of guidelines, a savvy contractor living in a world of near-weekly data
breaches would be wise to adopt NIST’s “recommendations” as baseline best practices in order to
survive regulatory scrutiny in the case of a breach.
Government Contracts,
Investigations &
International Trade Blog
Copyright © 2015, Sheppard, Mullin, Richter & Hampton LLP. All Rights Reserved.
6/24/2015http://www.governmentcontractslawblog.com/2015/06/articles/cybersecurity/alert-nist-issu...