June 26, 2024
Contractors that do business with the federal government must adhere to specific guidelines for safeguarding sensitive information. The National Institute of Standards and Technology (NIST) issues and revises those guidelines. The guidelines ensure that controlled unclassified information (CUI) is adequately protected. Recently, NIST has updated these guidelines to enhance clarity and usability.
Controlled Unclassified Information (CUI) is information that is not classified but still requires special care and protection, including secure storage, destination controls, and access restrictions. Some examples of CUI are Law Enforcement Sensitive materials, Personally Identifiable Information (PII), Personal Health Information (PHI), and Proprietary Business Information.
The original scope of the NIST guidelines was the protection of critical infrastructure, such as banks, hospitals, utilities, and energy companies. The revised NIST guidelines expand the scope to organizations of all sizes in all industries. NIST compliance is mandatory for organizations that do business with the United States government, including:
The updated guidelines are found in Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST Special Publication [SP] 800-171, Revision 3). Its companion publication is Assessing Security Requirements for Controlled Unclassified Information (NIST SP 800-171A, Revision 3). All organizations that handle CUI must comply with these guidelines. The guidelines are especially important for companies supporting government programs with critical assets like weapons and communication systems, as they are prime targets for our adversaries.
Previously, discrepancies in the language between these guidelines and NIST’s source catalogs of security and privacy controls (NIST SP 800-53) and assessment procedures (NIST SP 800-53A) led to ambiguities and uncertainties about security requirements. The recent updates address these issues by streamlining NIST’s cybersecurity guidance. The updated version includes an interactive reference tool to enable organizations to tailor the guidelines to their unique circumstances.
The updated NIST guidelines attempt to respond to evolving threats, address emerging cybersecurity issues involving cloud security, artificial intelligence, the Internet of Things (IoT), and identity-based threats.
To assist those already using the previous version, NIST has released an analysis detailing the changes in each requirement. The companion publication, SP 800-171A, offers a comprehensive set of the updated assessment procedures aligned with the new security requirements. It also includes examples to illustrate the assessment process.
The government enacted the Civil Cyber-Fraud Initiative (Initiative) in 2021 to combat cyber fraud. The Initiative emphasizes civil enforcement to hold government contractors accountable for failing to meet cybersecurity standards or failing to report cybersecurity incidents and breaches. Contractors that lie about compliance with NIST Guidelines, may violate the False Claims Act. To date, there have been a handful of settlements with government contractors under the Initiative. One such example is the $2.7 million settlement with Insight Global.
If you know a government contractor has falsely certified compliance with its cybersecurity requirements, or failed to report a cybersecurity breach, contact us for a confidential consultation. Our attorneys include several former federal prosecutors with experience safeguarding sensitive government information.