So that led us to where we are today with this 800171. Again, an outcropping from, you know, the executive order and these defarge closet that said, you must protect this controlled unclassified information. So, understanding the applicability of missed 801 71 is extremely important.+ Again, it's for nonfederal organizations with non federal information systems that contain CUI. Okay. And if you don't have CUI you are not subject to all of these controls. I believe firmly that if your organization is in compliance with all 110 controls of the NIST 800171 standards, you would be much better off in a much more secure organization. But again, unless you have CUI you are not actually accountable for compliance with 800171. And then you can see there, it says the requirements are intended for use by federal agencies and contractual vehicles or other arrangements established between these agencies in NFOs. So, one of the first steps of of being of working on the road to compliance with this to 800171 is understanding, is it applicable to you? And and part of that is determining do you have CUI and there's a lot of assumptions that come along with that and there's some scoping items we'll get to in a minute that you can use to help reduce the workload and make compliance less costly and much more simple. So some assumptions, statutory and regulatory requirements for the protection of CUI are consistent whether it resides in federal information systems or non federal information systems safeguards implement to protect. CUI are consistent in both types of systems and the confidentially confidentiality impact value for CUI is no lower than moderate in accordance with FIPS Publication 199. So FIPS is the federal Information processing standards. Publication 199 is standard for security categorization, federal information and information systems. So again, a reference to some other place, but the moderate level, it's just telling you, you know where you need to be in terms of that protection, you can check that out. So assumptions for NFOs. Have information technology infrastructures currently in place and are not developing or acquiring systems specifically for CUI, so the government is not telling you if you have CUI you need to build a whole new systems for that. They assume you already have technology in place and that to at least some extent it would be capable of protecting CUI. I have safeguards in place which may be sufficient to satisfy the CUI requirements. Again, they're not saying you have to drop everything and build a whole new system, apply all kinds of new rules. They're assuming that existing safeguards you have, like endpoint protection software, otherwise known as anti virus or anti malware software may be sufficient to apply to one or more of the controls 110 controls in this 801 70 one may not satisfy every CUI requirement that can implement equally effective alternatives so you may not be able to do X. But you might be able to do Y instead? And that would provide the same level of protection as X. And I think these important these assumptions are so important because it's basically saying you don't have to panic, you don't have to stop from start from scratch, You don't have to drop everything you've done and and begin from nothing and build this entirely new infrastructure to support. CUI it assumes what you have will already get to a certain a certain amount of the way there. And then finally, can implement a variety of potential security solutions directly or through the use of managed service providers. CUI requirements. I've touched on this briefly already, there are 110 controls in the current version of missed. 870 one that fall into 14 different families. Each control has a well defined structure consisting of basic security requirements and derived security requirements. Let's drill down into this a little bit deeper. So the 110 controls ,the basic and drive security requirements are obtained from 200 and this special publication. 853 initially and tailored to eliminate requirements that are uniquely federal, not directly related to protecting CUI and expected to be satisfied by NFOs without specifications. So again, these are geared towards NFOs. And you're pulling from a much larger body of controls 800-53 and then tailoring them for NFOs and non federal information systems. So let's talk about basic security requirements. Here's an example from awareness and training, the awareness and training family control, 3.2.1 ensure that managers, systems, administrators and users of organizational information systems are made aware of security risks associated with their activities and of the applicable policy standards and procedures related to the security. Of those organizational information systems. And then 3.2.2 ensure the organizational personnel are adequately trained to carry out their assigned information, security related duties and responsibilities. So as you can see in these two cases, these are not technical Controls. These are more administrative controls and you'll find across 110 controls. Some are technical some are administrative right. It's not all technical, it's not all about having the latest and greatest technology. And these are two prime examples of that, which is why I included them here. Then here's a drive security requirement from the same family provide security awareness, training on recognizing and reporting potential indicators of insider threat. Obviously insider threat is an increasing risk, especially for sensitive information that foreign governments might want to steal from a defense contractor. Let's face it it's it's much easier to steal information from the United States companies than it is to spend thousands or millions or hundreds of millions of dollars on R And D. To develop that same technology. And again that Kind of gets back to why this 871 is so important in this space. Yeah. We're getting close to the end here. Let's talk about variance from requirements. So again you may have a specific requirement that you don't think is applicable or you can't meet for some reason they have accounted for that in here. If the offer proposes the vary from any of the security requirements specified by NIST Special Publication 800-171 that are in effect at the time of the solicitation is issued or is authorized by the contracting officer. The offer still submit to the contracting office for consideration by the DoD Chief information officer a written explanation of a why a particular secure security requirement is not applicable or be how an alternative but equally effective security measure is used to compensate for the inability to satisfy a particular requirement and achieve equivalent protection. So you can see this is from DFARS 252.204.7008. And it's important to point out that I think they've done a good job of not being extremely rigid and inflexible these things. So again if you find a scenario where you think something doesn't apply to your company because you don't have a certain type of system, you're not using a certain type of technology. Maybe you don't have WIFI, for example, you know, you can say that this doesn't apply, but they do have rules around how you have to approach that.
