NIST, the National Institute of Standards and Technology, published a document in December 2016, protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations. All organizations doing business with government primes must be compliant by 12/31/17. In order to continue to receive Purchase Orders from government primes in 2018, all companies MUST be compliant with NIST 800-171.
The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its assigned missions and business operations. This publication provides federal agencies with a set of recommended security requirements for protecting the confidentiality of CUI when such information is resident in nonfederal systems and organizations; when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry. The security requirements apply to all components of nonfederal systems and organizations that process, store, or transmit CUI, or that provide security protection for such components. The requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.*
NIST outlines 14 families of requirements, each with extensive subsections:
1. Access Control
2. Awareness and Training
3. Audit and Accountability
4. Configuration Management
5. Identification and Authentication
6. Incident Response
7. Maintenance
8. Media Protection
9. Personnel Security
10. Physical Protection
11. Risk Assessment
12. Security Assessment
13. System & Communications Protection
14. System & Information Integrity
Zentech has been proactively addressing the 14 families and their associated requirements. To assist electronics industry professionals in their understanding of the impact and to best prepare their company for these requirements, I interviewed Clint Fleming, Zentech's VP of Program Management and IT.
SW: This new document was published by NIST in December 2016. How long has Zentech been preparing for these changes, and how long do you recommend a company to prepare in advance?
CF: Zentech has been preparing since publication of the document. I would recommend 6 months to
prepare, if you take into consideration an IT professional's regular day-to-day activities and other long term projects. In that the deadline is only 4 months away, if you have not started this process, you will need to
quickly appoint a task team and accelerate your efforts.
SW: How do these requirements differ from what has been required by NIST in the past?
CF: These requirements require, most importantly, a 2 factor identification to access all CUI data, and that
all data be managed in a secure cloud-based environment. It also requires that as a sub-prime, that the subprime report its full compliance to each government prime that it works with in order to continue
business with them.
SW: What has been the most challenging of the requirements thus far?
CF: From a practical, day-to-day, on-the-shop-floor perspective, the 2 factor authentication will be the most challenging to adapt to. Two factor authentications take more time, and those seconds add up and
could affect productivity. They also time-out after a specified number of minutes and credentials have to be
re-entered.
The other significant factor is the accounting of hard copies. Companies must create a process for
keeping track of all hard copies printed each day that contain CUI data and account for them. Inevitably,
there are hard copies as an operator has multiple items he/she needs to view at the same time. Even if your company added more monitors to reduce the number of hard copies, many plants are up against floor
space constraints. Now is the time for organizations to address these challenges and create processes and
procedures that will continue to allow the company to run efficiently under the new requirements.
SW: What is the deadline for compliance and what are the ramifications of non-compliance?
CF: All companies doing business with government primes must be compliant by 12/31/17 or they cannot receive any DoD related purchase orders in 2018.
*From the document, NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations
About Zentech: Zentech Manufacturing, Inc. is a privately held, engineering-driven contract manufacturer specializing in the design and manufacture of highly-complex electronic and RF circuit cards and assemblies. The company is headquartered in its purpose-built facility located in Baltimore, MD and maintains several
key certifications, including ISO 9001:2008, ITAR (US State Dept.), AS9100 (aerospace), and ISO 13485 (medical). In addition, Zentech is a certified IPC Trusted Source supplier for Class 3 mission-critical electronics, and the company is IPC J-STD-001 Space Addendum QML certified.