The Next Black Monday

January 1st, 2018 falls on a Monday. This fact is unimportant to most people as they consider their business routine. Years come and go, and the day that they start on is of little consequence. The question for this next new year is: Will January 1st, 2018 be the next Y2K, or will it be Cyber Monday for information security?

On November 10th, 2010 President Obama signed Executive Order 13556 designating the National Archives and Records Administration (NARA) as the Executive Agent to implement the national CUI program. CUI is considered “any potentially sensitive, unclassified data that requires controls in place which define its proper safeguarding or dissemination.” It must be “consistent with applicable law, regulations and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act.”

NARA began working with the National Institute of Standards and Technology (NIST) to develop a set of standards where government contractors would be required to maintain specific CUI controls and procedures, generally meeting the Federal Information Security Management Act (FISMA) standard at the moderate level. The resulting standard is NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.

For many government agencies, including the Department of Defense (DoD), General Services Administration (GSA), and the National Aeronautics and Space Administration (NASA), the rules for NIST (SP) 800-171 compliances takes effect December 31, 2017. Also, under federal regulations such as DFARS clause 252.204-7012, every affected company and agency must now assess and document their compliance.

While generally following accepted best practices and common organizational information security methodology, achieving full compliance for NIST (SP) 800-171 is no easy task. A full audit of organizational policy, procedures, and controls mechanisms must occur and be documented. This must be accomplished by all federal government prime contractors, sub-contractors, and any suppliers that have potential to access government CUI data.

Organizations that fail to achieve NIST (SP) 800-171 compliance are at risk of having their government contract canceled including non-compliance by sub-contractors and suppliers. This makes the prime contract holders liable for all of their sub-contractors and supplier adherence to policy. The financial implications of this could be staggering with small businesses, and billion dollar prime contractors affected equally. A minor sub-contract in the thousands could affect a billion-dollar prime contract due to the potential for pass through risk and liability.

The question then stands: Is NIST (SP) 800-171 a dog that is all bark and no bite, or a cobra coiled in the grass poised to strike on January 1st, 2018? Will the new administration pick up the cybersecurity gauntlet touted on the campaign trail, and make good on the promise to secure our government and its citizens; or will the intense pressure from industry defuse the catastrophic threat that enforced compliance could have on government contractors?