NIST Issues Draft Cybersecurity Guidelines for Federal Contractors Holding Highly Sensitive Unclassified Information
Time 2 Minute Read
Categories: Information Security

On June 19, 2019, the National Institute of Standards and Technology (“NIST”) issued its draft SP 800-171B guidelines (the “draft”), which outlines enhanced measures to protect controlled unclassified information (“CUI”) held by government contractors.

Building on NIST’s existing SP 800-171 guidelines for protecting CUI on non-federal systems, the draft’s enhanced measures are intended to apply only to components that process, store, transmit or provide security for CUI “contained in a critical program or high-value asset.” The strengthened security requirements are intended to protect the integrity of CUI by promoting: (1) penetration resistant architecture; (2) damage limiting operations; and (3) designing for cyber resiliency and survivability.

The draft outlines 31 recommendations, including dual-authorization, access restriction and network monitoring activities. When finalized, the draft’s guidelines are expected to be applied on a case-by-case basis to the small fraction of Department of Defense (“DoD”) contractors with high-value cyber assets or who hold critical defense program information.

The DoD already requires its contractors to comply with the existing NIST 800-171 through its DFARS 252.204.7012. Other agencies, such as the Government Services Administration and Department of Homeland Security, have announced or proposed requiring contractor implementation of NIST SP 800–171, but did not finalize those plans.

Because compliance with NIST SP 800–171 can be difficult for some contractors, and because the DoD has not, in fact, clearly articulated the breadth of information covered by DFARS 252.204.7012, the DoD had until recently been more flexible in verifying compliance with NIST SP 800-171. On January 21, 2019, however, the Under Secretary of Defense for Acquisition and Sustainment issued a memo directing more careful review of contractor compliance with NIST SP 800–171.

Technical comments on draft SP 800-171B are due by July 19, 2019.

The Hunton Privacy Blog thanks Eric Hutchins from H2 Legal, P.C. for authoring this post.

Tags: Department of Homeland Security, National Institute of Standards and Technology, United States
Print Email Twitter/X Linkedin Facebook

You May Also Be Interested In

Time 3 Minute Read
Shutdown Guidance from the Departments of Veterans Affairs and Homeland Security

Immediately prior to the lapse in funding on October 1, Department of Veterans Affairs (VA) and the Department of Homeland Security (DHS) released information on their contingency plans during the impending government shutdown, providing guidance to federal contractors.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 10 Minute Read
Trump Administration Issues AI Action Plan and AI Executive Orders

On July 23, 2025, the Trump Administration published an AI Action Plan and three Executive Orders on AI.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
U.S. Supreme Court Upholds Adult Entertainment Website Age Verification Law

On June 27, 2025, the U.S. Supreme Court upheld, by in a 6-3 vote, H.B. 1181, a Texas law that requires certain commercial websites publishing sexually explicit content to verify that visitors are 18 years of age or older.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
NIST Releases Updated Privacy Framework

In April 2025, the National Institute of Standards and Technology announced the release of a draft update to its voluntary Privacy Framework, “NIST Privacy Framework 1.1 Initial Public Draft.”

Continue Reading ›
Print Email Twitter/X Linkedin Facebook

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page