The genesis of 800-171

By Jake Williams

Disclaimer: This is my personal work and references other works or people who have been helpful in getting this information together. It is not the opinion or work of my employer, now or in the future, and was done on my own time. If you like what I wrote, then my employer gets credit for hiring such a smart guy. If you don’t like it, then don’t blame my employer.

Summary

This article describes the interim rules that were intended to change security requirements for defense contractors, and how they led to the creation of 800-171. This background will also help to explain why we have both Basic and Derived security requirements, as well as where they came from. I will reference this article regularly as I expand upon 800-171 thoughts, analysis, and the future of 800-171.

The two types of requirements

In 800-171 there are two types of protections – the “Basic Security Requirements” and the “Derived Security Requirements”. Why are there two different types of requirements and where do they come from? The history of DFARS rules regarding CUI helps explain where these come from, and why they exist in 800-171 the way that they do.

Attempts at DFARS rules

June 2011 was the first draft of the DFARS CUI rule [Federal Register :: Defense Federal Acquisition Regulation Supplement; Safeguarding Unclassified DoD Information (DFARS Case 2011-D039)]. The “Basic requirements” were determined to have a “Not Significant” cost impact to the contractor and were high level statements not mapped to any existing 800-53 controls. The “Enhanced requirements” included 59 controls from 800-53 as chosen by the DoD and applied to a broad range of data types.

In November 2013 the final rule was released, with comments on the first draft leading to some changes. The “Basic Requirements” were removed from this rule as they were not specific DoD requirements (more on these basic controls later). The 59 controls from 800-53 were still included, and the applicability was narrowed to just Controlled Technical Information (CTI) [Federal Register :: Defense Federal Acquisition Regulation Supplement: Safeguarding Unclassified Controlled Technical Information (DFARS Case 2011-D039)].

However, NIST cried foul at this point. They said that it was their job to determine the controls that would apply to CTI since it was a subset of CUI, and the government put NIST in control of tailoring 800-53. This is when 800-171 was started between NIST, NARA, and the DoD.

The first draft of 800-171 came out in June 2015, with both Basic and Derived security requirements. The Basic requirements were pulled directly from those in FIPS 200. The Derived requirements were those that they felt were required when 800-53 was tailored for CUI in nonfederal organizations. Appendix E of 800-171 helps explain their tailoring decisions, and why they chose or excluded certain controls.

The basic security requirements were moved to FAR case 2011-020 for implementation, which was not finalized until three years later. This rule (Federal Register :: Federal Acquisition Regulation; Basic Safeguarding of Contractor Information Systems) was delayed for long enough that it ended up using the Basic requirements in 800-171.

Further Reading

For a more in-depth discussion of these topics, I strongly recommend you watch The Dubious History of CMMC from Jacob Horne (The Fascinating History of CMMC as Told by Jacob Horne - YouTube) which was my source for which documents to reference.

Takeaway

Hopefully this helps you see where 171 came from, and NIST’s role in the creation. It also shows where the Basic requirements came from - that NIST didn’t make them up on their own but were pulled from FIPS 200.?