(Part Three in a Three-part Series)
NIST 800-171A has been widely discussed in our industry, and NIST has promised to release it sometime in 2018. It introduces a standardized opportunity to perform a more structured and granular level of assessment leveraging the National Institute of Science and Technology (NIST) Special Publication (SP) 800-171 framework.
The Genesis of NIST 800-171A
NIST SP 800-171 is a government standard that has been developed for the protection of Controlled Unclassified Information (CUI) on nonfederal systems. It includes a set of technical, procedural, and administrative security requirements – 110 in total, spread across 14 families (or domains).
The net effect of NIST 800-171A is that it provides additional support and guidance for the federal government contractor as it works toward compliance. It does not introduce an additional layer of compliance steps.
As compliance steps are pursued throughout the federal contractor environment, some ambiguities were perceived. The intentional allowance given the contractors – to address the NIST 800-171 requirements according to the threat landscape faced and the business environment required – led to confusion and misinterpretation. Several contractors expressed an interest for a more templatized and structured approach that would help them take clear steps to show compliance. NIST, in coordination with the DoD, started working on the NIST 800-171A (‘A’ stands for ‘assessment’). This publication provides clear ways in which the contractor can evaluate its CUI environment and provide a guided narrative that shows proof of compliance.
Currently, NIST 800-171A has been released for soliciting public comment. NIST will close the comment reception phase in March 2018, and begin adjudicating and implementing comments received. Release of the final version is targeted for late Spring or early Summer 2018.
NOTE: Just like NIST SP 800-171, NIST 800-171A is just a standard. There is no stipulation or enforcement law behind it. It is a series of guidance steps developed by NIST to help further clarify the intent behind NIST 800-171 and assist the contractor in its maturity toward compliance.