NIST - eResilience

RESOURCES

NEW eResilience article on cyber assurance for prime contractor bidding teams

A new Contract Management magazine article from eResilience discusses supply chain cyber compliance risk and explores issues and strategies that prime contractors should be aware of when sharing CUI with suppliers and subcontractors. This article appeared in the August 2024 issue of Contract Management magazine, published by the National Contract Management Association. Used with permission. Link | Download

NEW DoD issues Class Deviation on Cybersecurity Standards for Covered Contractor Information Systems

The DoD has issued a Class Deviation to modify the DFARS 252.20 4-7012 clause so that instead of requiring CUI-handling contractors to implement specifically NIST SP 800-171 Revision 2 instead of "the version of NIST SP 800-171 in effect at the time the solicitation is issued". This means the CMMC program will continue to use 171 R2 as the underlying standard for compliance even after 171 R3 becomes final. The class deviation is effective immediately and will remain in effect indefinitely, until rescinded. Link | Download

NEW Department of Defense (DoD) Defense Industrial Base (DIB) Cybersecurity (CS) Activities

The DoD released a final rule that revises eligibility criteria for the voluntary DIB Cybersecurity Program, allowing all contractors who handle CDI (DoD CUI) to benefit from bilateral information sharing, which was previously available only to cleared contractors. This ruling also replaces the need for a Medium Assurance Certificate to access the DIBNet portal for cyber incident reporting by allowing registration for DIBNet access through the Procurement Integrated Enterprise Environment (PIEE). Link | Download

NEW Cybersecurity Maturity Model Certification (CMMC) Program: Proposed Final Ruling

The DoD has released the proposed final ruling for the CMMC program. Link | Download

NEW Initial Public Draft: NIST SP 800-171 Rev. 3 (Draft)

NIST has released the initial public draft of SP 800-171 Revision 3, which includes updates to the security requirements and families, updated tailoring criteria, and other enhancements. Link | Download

Contractual Remedies to Ensure Contractor Compliance with Defense Federal Acquisition Regulation Supplement Clause 252.204-7012

The DoD has circulated this Memo to contracting officers to remind them of contractor cyber compliance requirements and emphasize penalties that can be levied against non-compliant contractors. Link|Download

DoD Inspector General Report: Audit of the Protection of Military Research Information and Technologies Developed by Department of Defense Academic and Research Contractors

The DoD Office of the Inspector General released the findings of an audit regarding NIST 800-171 compliance among DoD research contractors and academic institutions, finding that the protection of CUI is not adequate and that contracting officers must increase the emphasis on compliance. Link | Download

DRAFT NIST 800-172 “A” Assessment Guidance Released

NIST has released the draft version of its assessment guide for NIST 800-172 (Formerly NIST 800-171B) Link | Download

DoD CUI Awareness and Marking Brief

The DoD has cleared a briefing from November 2020 on CUI Awareness and Marking for public release. These slides provide good information about how CUI is identified and marked. Link | Download

Limited Dissemination Control (LDC) Markings: Quick Reference Guide

The DoD has released a list of the new Limited Dissemination Control (LDC) Markings and descriptions of what each marking means. Link | Download

NIST SP 800-172 “Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171”

NIST 800-172 prescribes enhanced security requirements designed to further protect Controlled Unclassified Information (CUI) from advanced persistent threats by protecting the confidentiality, integrity, and availability of that information on nonfederal information systems associated with critical programs or high value assets. This publication does not replace NIST SP 800-171, but creates additional security requirements that will need to be implemented for selected systems. Link | Download

Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)

The DoD has issued an interim rule to amend the DFARS cybersecurity regulations to implement a DoD Assessment Methodology and Cybersecurity Maturity Model (CMMC) framework in order to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain. (Comments on the interim rule should be submitted in writing on or before 60 days after date of publication in the Federal Register.) Link | Download

DRAFT – NIST SP 800-172 (Formerly known as “171B”)

Enhanced security requirements for protecting Controlled Unclassified Information: A supplement NIST SP 800-171 (Final public draft) Link |Download

UPDATE: DFARS Frequently Asked Questions (rev 3): FAQs regarding the Implementation of DFARS Subpart 204.73 and PGI Subpart 204.73, DFARS Subpart 239.76 and PGI Subpart 239.76

This update to the DFARS Cyber FAQs provides important new information and answers to additional questions. Link | Download

Supplier Performance Risk System for NIST SP 800-171 DoD Assessment

The DoD has updated its Supplier Performance Risk System (SPRS) which will now store results from DoD NIST 800-171 Basic, Medium, and High assessments. The SPRS will be accessible by DoD components for the purpose of assessing contractor cybersecurity readiness levels. Link | Download

Update: NIST SP 800-171 DoD Assessment Methodology Version 1.2.1

The DoD has released an update of its NIST SP 800-171 Assessment Methdology, introducing the ability for the DIBCAC to perform remote "virtual" assessments at the Medium and High Confidence level due to the COVID-19 pandemic. Basic assessments will still be self-reported by contractors, and the subtractive, weighted scoring system is still in place. Link | Download

DoD Instruction 5200.48 Controlled Unclassified Information (CUI) (March 6,2020)

This new DoD Instruction document establishes an official DoD CUI registry and associated DoD-wide policies, responsibilities, and procedures for CUI. Link | Download

NIST SP 800-171 Revision 2/Final, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (February 21, 2020)

This is the final release of NIST SP 800-171 Rev. 2, which supersedes the previous SP 800-171 Rev.1. Revision 2 includes minor editorial changes but does not change the basic or derived security requirements. Link | Download

NIST SP 800-171B Draft Released June 2019 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets

Draft NIST SP 800-171B provides additional recommendations for enhanced security requirements to protect Controlled Unclassified Information (CUI) from advanced persistent threats (APTs). Link | Download

NIST SP 800-171 Revision 2 Draft Released June 2019: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

NIST describes draft NIST SP 800-171 Rev. 2 as “minor editorial changes”. Link | Download

NIST SP 800-171 Revision 1, Including Updates as of Jun 7, 2018 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

This set of 110 NIST security requirements is derived from NIST 800-53, a broader set of standards used for protecting CUI on Federal systems. Link | Download

NIST SP 800-171A – Assessing Security Requirements for Controlled Unclassified Information (June 2018)

This is the government’s Special Publication that provides guidance for assessing compliance with NIST 800-171. The 171A guidance describes what evidence is needed and how to conduct a total of 320 objective tests to be used for validating successful implementation of the 110 security requirements of NIST 800-171. Link | Download

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
_gat_gtag_UA_136970874_1	1 minute	No description
cookielawinfo-checkbox-functional	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-others	1 year	No description