The Defense Federal Acquisition Regulation Supplement (DFARS) requires compliance with security directives set forth by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”
What this all means is that businesses who work with the Department of Defense (DoD), and their sub-contractors, must be NIST compliant. This ensures controlled unclassified information (CUI) remains confidential. NIST is the agency responsible for determining information security standards and advising federal agencies about the requirements necessary to ensure the confidentiality of CUI in several situations.
Some examples of when NIST regulates information security standards with respect to controlled unclassified information are:
- CUI is present in private-sector information systems and organizations
- The information systems that store the CUI aren't operated or maintained by contractors of federal agencies or organizations on behalf of those agencies
- There are no other requirements pre-determined by law or existing policy to safeguard the confidentiality of CUI for that specific CUI category in the CUI Registry
Effective December 31, 2017, this became the standard for information security, and failing to achieve NIST compliance means the loss of current and future business in favor of companies who have made NIST compliance a priority.