December 31: DFARS/NIST 800-171 and New Mandatory Standards for Federal Research
The National Institute of Standards and Technology’s (NIST) Special Publication 800-171 aims to consolidate the Federal government’s procedures for handling Controlled Unclassified Information (CUI), including CUI found in systems operated by federal contractors such as Georgia Tech. In the spirit of open government, these regulations aim to share government data with appropriate entities such as research universities, while keeping it out of the hands of prohibited audiences.
There are 110 total mandatory controls (basic and derived) to be implemented by or before December 31, 2017, including access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, systems and communication, and system and information integrity.
There are 23 categories and 84 subcategories of CUI. Among those categories that may be in the systems of a research university are export controlled technology and information, proprietary business information, federal statistical data such as census data, critical infrastructure, information systems vulnerability information, intelligence, and information protected by HIPAA and FERPA.
DECISION TREE: Does your project need compliance by December 31? Answer these questions or reach out to us.
- Does your research project receive funding from the Department of Defense (DoD) or a DoD-funded prime contractor?
- Does the contract contain DFARS 252.204.7012’s clause, safeguarding covered defense information and cyber incident reporting?
- Have you been informed by your OSP Contracting Officer that you have a project funded by a non-DoD sponsor subject to NIST 800-171?
- Does your project involve funding from DoD’s Small Business Innovation Research (SBIR) or Strategic Technology Transfer Research (STTR) programs?
- Does the project result in storage, processing, or transmission of CUI?
If you answered ‘yes’ to any of the above bullets, contact us to schedule a preparedness presentation and connect you with new resources in place that meet the 110 new controls.
Note: The Office of Sponsored Programs (OSP) Contracting Officer assigned to each project will ultimately determine if that project is subject to these controls. If you aren’t sure if your project involves CUI, contact your Contracting Officer in OSP. Visit: http://osp.gatech.edu/staff-directory