Contractors will, somehow, be living under it, and there’s still time to comment on it: The revision to NIST special publication 800-171 on protection of controlled, unclassified information. That’s not the only cyber policy affecting contractors. For more, Federal Drive with Tom Temin spoke with the Executive Vice President for Policy at the Professional Services Council, Stephanie Kostro.
Tom Temin And Stephanie, this is something that I guess the comment period is still open for a few more days and you recommend people should make sure they know what’s going on here with NIST.
Stephanie Kostro Thanks, Tom, for having me. And you’re exactly right. We at PSC are grateful that NIST has opened the comment period on this draft revision of this very important NIST standard and a special publication. It’s been open since May, but the comments are due this coming Friday, July 14th. And we’ve gotten a lot of feedback from PSC members all across the board, and I’m happy to go through a couple of the key highlights for you with with you now.
Stephanie Kostro So there are a few areas of particular concern. PSC represents services, contractors and so a lot of the technology pieces that come into play are important. Now, the origin of NIST 800-171 is embedded in another NIST standard 800-53, which really looks at federal information systems, etc, for the government itself. 171 was meant to be patterned off of that earlier in the standard. However, there were some divergences and so what Rev three does is tries to align this contractor standard of protecting controlled unclassified information with that earlier standard. And there are several areas where we have some concerns regarding the cost of implementation to small businesses such as they’ve reorganized or recategorized some controls and sometimes small businesses when they’re taking on a new set of standards or that’s new to them, are going to encounter some cost tails, etc., to get this done. And we have some concerns. So in our comments that we’ll be submitting this week, we’re going to talk a little bit about what this third revision means for small businesses.
Tom Temin And the cost of implementing it is what? They would have to buy certain products that would make them compliant or they would have to have services that they themselves use to get themselves into align with this?
Stephanie Kostro That’s exactly right. And in addition, what we appreciate about NIST, not only that they allow us to comment on these draft provisions, but also they’re taking a more flexible and risk-based approach where organizations themselves, contractors themselves can look at their unique circumstances. But I think some small businesses are going to need some support, either walking them through or additional guidance that clarifies what they are subject to versus what someone, a large contractor might have in terms of the depth and breadth and extent to which they’ll have to be in line with certain controls.
Tom Temin And there are no deadlines at this point. Right. That are in I mean, the standards doesn’t have deadlines, it’s not a policy to implement. It’s a set of standards that at some point the agencies might say, okay, now you got to be 171 compliant, right?
Stephanie Kostro And it is evolutionary. And that’s why, of course, why you see a draft revision three this is something that is a living document and will continue to change over time. One area where we do have some concern is that they want companies, entities that have controlled unclassified information to do these independent assessments that are quote unquote current, but that doesn’t define current. So these are that’s an example of an area where needed clarification would be much appreciated at this point. Another needed clarification is Rev three obviously indicates that there was a revision two ahead of it and it would be really helpful if this could put out a red line of what’s different in revision three over revision two. This is a very complicated document and it would be really helpful, particularly to small businesses, but not only to small businesses, to see what exactly has changed.
Tom Temin And I think everyone is wondering about this in the context of CMMC, the Cybersecurity Maturity Model Certification program, that DoD can’t quite get out the door, but yet if it comes, would compliance with 800-171 help you towards CMMC?
Stephanie Kostro Exactly right, Tom. So CMMC has been in a holding pattern now for a couple of years and contractors are tracking it very, very closely. We always hear rumors in the rumor mill about when it might be coming out, CMMC 2.0, etc. That is another area where PSC comments are really going to look at NIST to provide some clarity regarding how does NIST 800-171 revision three apply to CMMC? How many conversations have they had with the Department of Defense in order to align 800-171 to associated requirements? CMMC is one of them, but it’s a very important one. And the other area is what are the flow down requirements, right? So when you look at a prime contractor, you have privity of contract with the government and they can put in certain requirements. What are the, the flow down implications for that into subcontractors? And as you well know, Tom, we are looking at for every, one prime contractor, you have multiple, multiple layers of multiple, multiple subcontractors. And so we’d be looking for clarification from NIST on the flow down requirements.
Tom Temin We’re speaking with Stephanie Kostro. She’s executive vice president for policy at the Professional Services Council. And if you move up a notch from CUI, controled unclassified, you get into the classified area. And now there is this latest memo on the security review that followed that horrible breach coming out of the Air National Guard a few months back. And this is basically from the secretary of defense for defense agencies. But PSC feels contractors are part of this also.
Stephanie Kostro Yeah, I’m glad you raised this topic, Tom, because a couple of months ago, the secretary of defense released a tasker to take an in-depth security review of what was going on with what we call the discord leaks. It’s the Air National Guardsmen up in Massachusetts, but also it’s it could be indicative of a broader issue regarding access to information and who gets cleared and how do we protect the information that needs to be protected most. The impact on contractors is going to be interesting that the secretary after that review signed out a memo. It’s a couple of pages. We haven’t seen the review that is classified for obvious reasons, but the task list that came out of it is not and it’s a couple of pages. It was released on June 30th, and it’s focus is a lot on DoD component heads and the undersecretary of defense for intelligence and security. And and you look at what is being asked in its review of SCIF requirements, and that’s the sensitive compartmented information facilities, SCIF, some of which are owned and operated by contractors or the special access program facilities, or SAPF. Those are can also be controlled with the involvement of DoD officials. And so when we’re looking at this task list, we’re trying to see what impact will it have on contractors. And those are two areas. What are the requirements for SCIFs and SAPFs? What are going to what are going to flow out of that? And some of the deadlines are coming up soon. Some of them are July 31st. Some of them are September 30th. This is a fast moving train, as it should be, but we’re hoping for additional contractor involvement as as implementation gets underway.
Tom Temin And there are also contractors working in government owned and operated SCIFs in some situations. And the question I’ve had, and maybe you’ve thought about this at PSC, is suppose you are a contractor and you see some National Guardsman or some other classified government person, someone with clearance. And you notice by hook or by crook that, hey, they’re downloading stuff that shouldn’t be downloaded or they seem to be taking it with them some kind of activity. Should a contractor report that if it’s being done by someone working for the government or a uniformed service member?
Stephanie Kostro That’s a great question, Tom. And I think I mean, the obvious answer is yes, but how somebody reports somebody else, particularly if it’s a government official who is allegedly downloading stuff that they’re not supposed to be downloading and sharing it, if they’re if they’re not supposed to be sharing it. When you’re a contractor, there have to be rules in place and how you go about reporting such things to whom, etc., and hopefully with no adverse impact on the work that the contractor can do.
Tom Temin It’s non-financial whistleblower.
Stephanie Kostro Protections. Right. Exactly. Exactly right. And so we’re looking for from a contractor perspective, that that guidance that is needed not only how to control facilities and information itself, but how do you how do you tackle issues exactly like the one you raised.
Tom Temin All right. So there’s a lot to worry about at this point.