From: The National Law Review
ARTICLE BY Susan B. Cassidy Patrick Stanton | Covington & Burling LLP
Late last month, the National Institute of Standards and Technology (“NIST”) released a set of documents for public comment that are aimed at helping contractors assess and implement compliance with NIST Special Publication (“SP”) 800-171, which establishes the standards for protecting Covered Defense Information (“CDI”), among other forms of Controlled Unclassified Information (“CUI”). First, NIST released an updated final public draft of SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information. Second, NIST released templates for contractor system security plans (“SSPs”) and plans of action and milestones (“POAMs”). While neither finalized nor mandatory, these documents provide useful guidance for contractors struggling with SP 800-171 compliance.
Updates to SP 800-171A
Much of the substance of SP 800-171A remains unchanged from the previous version that NIST released in November, and which this blog previously discussed. The final public draft is still intended as “a starting point for developing assessment plans and approaches that can produce the level of evidence needed for risk-based decisions or to determine compliance to the CUI security requirements.” Similarly, this most recent draft still groups its assessment procedures by fourteen families of security control requirements, and highlights how an assessor could examine, interview, or test each particular control at issue.