DFARS Updates and Changes | Post 2: NIST 800-53 r4 vs 800-171

In August and December 2015, the Defense Federal Acquisition Register Supplement (DFARS) received updates that are crucial for the 10,000-plus defense contractors.  If you have been following our blog, we first reported on the changes back in January.  It is important to understand these changes and how they will affect your organization. These next series of blogs will attempt to view the DFARS updates from a high level.  If you haven’t read last week’s post, you can do that here.

This week’s post will attempt to boil down the primary differences between NIST 800-53 r4 and 800-171.  For starters, both documents are a set of standards published by the Nation Institute of Standards and Technology (NIST), a federal government organization that produces standards on a variety of topics, including information security.  Back in 2013, when DFARS 252.204-7012 was issued as a final rule, it relied on NIST 800-53 r4 to be the de-facto standard that contractors must adhere to in order to meet DFARS compliance objectives of safeguarding Controlled Unclassified Information (CUI).   In August of 2015, DFARS was updated and replaced its security control requirements.  NIST 800-53 r4 was swapped out with NIST 800-171.

NIST 800-53 r4

The Department of Defense (DOD) chose NIST 800-53 r4 for its DFARS standard set of controls for a reason.  Its broad set of security controls cover many facets and areas of an organization and relates those areas to protect CUI.  NIST 800-53 r4 is a large set of security controls.  With 303 requirements categorized into 18 control families, it is difficult for any organization to meet all of them.  When DFARS adopted 800-53, they narrowed it down to a set of 51 specific controls sets that would be effective in safeguarding CUI.  I won’t go into each of the 51 questions, but the table below shows the controls families that are specific to DFARS:

Within each control family are several controls.  For example, access control has twelve controls and sub controls.   Each control is very detailed and in order to be compliant, the defense contractor must meet all of the requirements of the control.  In control AC-2, Account Management, there are 11 requirements within the control, from monitoring system accounts to notifying account managers when access is no longer required (see the full NIST 800-53 here).  The point that I am making here is the level of detail in 800-53 tended to be overkill for defense contractors.  Trying to make their current security initiatives fit within the framework of NIST 800-53 left a lot of room for improvement.  800-53 offered a lot of flexibility from the list of security controls, but very little when it comes to using systems and practices defense contractors already had in place.

Because of this and some other issues, such as applicability or overkill of controls, the solution was to streamline the requirements needed to protect CUI.  Not only that but also make them applicable and standard, regardless of the size of your organization.  The result of this is NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, released in June 2015.

NIST 800-171

The primary difference between NIST 800-53 and 800-171 is that 800-171 was developed specifically to protect sensitive data on contractor and other nonfederal information systems.  The set of controls outlined in 800-171 is designed to protect CUI and eliminate the built-in overhead that was geared mostly toward federal agencies.  NIST 800-171 requirements have a total of 109 requirements that are simplified to a basic level of understanding.  The 109 controls are spread across 14 control families:

Additionally, NIST 800-171 has been derived from NIST 800-53 and FIPS 200.  Many procedural elements have been removed altogether to focus on the most applicable moderate baseline controls.

It is important to note that contractors, under DFARS 252.204-7012, can deviate from the 800-171 control requirements.  The only stipulation is that the DOD CIO’s authorized representative must approve the deviation.  This allows contractors to build on or enhance any security programs that are currently in place, without having to re-invent the wheel and not acquire new systems just to process, store or transmit CUI.

NIST 800-171 has also streamlined its control set.  As in NIST 800-171 3.1, Access Control, the following requirement states:

3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

This covers account management and access enforcement.  The contractor will have to show how they limit the access and enforce it.

Aside from the structural differences between 800-171 and 800-53, the intent is the same.  Contractors are required to protect Controlled Unclassified information.  With 800-171, how the organizations protect the information is now a little more clear.  800-53 was incredibly wordy and often made it difficult for non-security individuals to understand what the requirement is, regardless of whether or not you are a security person or an IT person performing a security function.

How can CyberSheath Help Your Organization?

Whatever your security requirements are, CyberSheath can help.  As a leader in helping customers meet DFARS 252.204-7012 compliance requirements, CyberSheath is the place to start.  Begin with a NIST 800-171 assessment to measure your effectiveness and see where to begin.  CyberSheath can help you remediate any controls that are not effective and build out your security program to meet compliance requirements.