NIST 800-171: Cybersecurity, CUI/CDI and ‘CMMC’, Part II: How to execute NIST within your business

In Part I of our NIST 800-171 series, we discussed various aspects of complying with DFARS 252.2014-7012 (NIST 800-171 compliance), including certifying under systems like EXOSTAR, identifying gaps within your systems (IT, procedural and physical), capturing CUI/CDI data (if you were paying attention in class, you should know what these acronyms stand for—Controlled Unclassified Information/Covered Defense Information), creating timelines to address your security plans and milestones, and taking a comprehensive inventory of known risks and technology/business gaps, as they related to the 110 controls under NIST.

For Part II, we’re going to address on how/what controls need to be designed and how to mirror them to the upcoming ‘CMMC’—a much easier way to say, Cybersecurity Maturity Model Certification, which will be further explored in the next series and in an upcoming webinar on April 7th. That said, you must take into consideration, when evaluating and drafting your NIST program, you need to ask yourself, whether or not it’s designed well; is it consistently being implemented; is it applicable to your current operations; its ability to adapt to future business and regulatory requirements; and whether the controls are effective, partially effective, or useless (putting it bluntly!). Are you taking a risk-based approach in designing/enhancing your IT/IS systems and internal procedures, or merely looking to meet the minimal requirements in hopes that your customer accepts them?

Having been in-house counsel for several companies, I often found that presenting factual data to the executive team and sponsors, was paramount in order to obtain the funding and resources to tackle large projects, like cybersecurity, as well as, to communicate the compliance and legal risks the company was facing. In order to present that data, you must know your operations including the actual and potential value of government business you are doing today (both directly and indirectly), single points of failure, and what systems you have in place (this should include IT, servers, policies/procedures, legal/regulatory, and physical/structural controls). Some questions that you should ask, are:

  • Can the company, its employees and its systems identify CUI/CDI, both inbound and residing in your systems today?
  • What is the chain-of-custody for CUI/CDI information?
  • Does your company have a single U.S. domain or multiple?
  • Does your company have centralized operations or fragmented?
  • Does your company, and systems, have the ability to make precise content identification and classification for CUI/CDI purposes?
  • Where are your access controls? This should not just be limited to software programs and servers, but to other areas, such as physical and personnel security, and procedural controls (especially when it comes to designs of defense/ITAR/export-controlled programs and data).
  • What is your current cloud infrastructure, external/internal file transfer systems (are they disparate, such as employees using USB thumb drives and/or FTTP sites to transfer technical data controlled under NIST)? Do you have a uniform cybersecurity management system?
  • What U.S. government agencies are you receiving (again, directly and indirectly) controlled technical data from? Department of Defense? Department of Energy? Defense Logistics Agency? Army Contracting Command Center? NAVSEA? I’ve seen each and every one of these agencies provide CUI/CDI both directly and indirectly to companies I have worked for.

This should include repositories for data and backups, the business impact of any failures, and the low-medium-high risk levels assigned to such failures. So, how does this all tie into that acronym ‘CMMC’? It’s beyond the scope of this article to try and explain CMMC’s 5 “Levels” in detail (we will in a future article and in our April webinar), so I will cut to the chase: Level 3 = NIST 800-171 (as well as, addition standards). Thus, architecting your NIST program to the requirements of Level 3, must be your goal.

By way of example, Level 3 includes the following areas (in bold), which can be mirrored against DDTC’s ITAR Compliance Guidelines:

  • Access Controls (AC): This would relate to how you identify & tag ITAR/Export data to ensure proper AC’s are applied appropriately
  • Audit & Accountability (AA): Ability to track and identify who receives ITAR data, and account for it, falls squarely within the above DDTC compliance requirement
  • Identification & Authentication (IDA): How and from whom did you receive the ITAR information? Who has accessed that information?
  • Configuration Management (CM): This addresses the need to define, document, and control logical access to tech data within your system, including retrieval of such information
  • Media Protection (PM) & Recovery (RE): Both address the need to protect, control and recover CUI and other information.
  • What kind of recordkeeping system does the company maintain that would allow for control of, and for retrieval of information on U.S. origin technical data and/or defense articles exported to the company?

Thus, the CMMC touches upon 17 “domains”, some of which are shown above. The DDTC Compliance Program Guidelines, also touch upon many of the same requirements (e.g., identification & receipt of technical data; internal monitoring/auditing; server rights; training)—map each regulatory requirement against the other. You could even take it one step further, as I have, and map each of the domains to the DDTC guidelines to the regulatory citations under 22 CFR 120-130 (the ITAR regulations). This will further enhance both your ITAR and NIST program, by allowing you to update your program as the regulations change, and provide internal and external auditors, a solid roadmap on how you are complying with both the DDTC and the DOD requirements.

I know this may be a lot for someone to digest in one newsletter. Thus, if you’re interested in learning more details on how to design, maintain and implement the above, please either contact me (christos@braumillerlaw.com) or join us on our April 7th live webinar, where subject-matter-expert, Jerry Leishman of the CORTAC group, along with myself, will delve deeper into the CMMC, ITAR and the crossroads of complying with both regulatory agencies. You can register by clicking here.