Sec. 2. Critical Infrastructure. As used in this order, the term critical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.
The part of this EO we are discussing today is in regards to Sec. 8. Voluntary Critical Infrastructure Cybersecurity Program. Through this EO, NIST publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, was activated. What is the NIST 800-171, what does it mean to government contractors and how can you comply?
Glad you asked! For any private companies working on government contracts, the Controlled Unclassified Information (CUI) represents new obligations that must be addressed. In essence, contracting officers will be imposing NIST requirements on vendors for protecting the confidentiality of CUI.
For non-federal contractors and vendors, there are multiple approaches and solutions to address competence under these new guidelines, although there is not single compliance standard. The two most popular and universally adopted are the NIST Special Publication 800-53 or ISO 27001.
With the National Archives and Records Administration (NARA) issuing a federal regulation to make the requirements of Special Publication 800-171 required government-wide, the time to choose a strategy and direction is right now if you are a government contractor. The forthcoming Federal Acquisition Regulation (FAR) will require that contractors meet the specified measures in 800-171. This will impact many government contractors. 800-171 is far reaching, broad and very detailed across fourteen families of cybersecurity requirements. Those families are as follow.
327 Solutions is a global provider of ISO 27001 training and certification Bootcamps, helping teams address the broad implications of 800-171 quickly and efficiently. We have publicly available courses and are happy to come to your site anytime for private events.