New U.S. Government-Backed Standards for Protecting Data Will Affect Federal Contractors

Government Contracts Update

Date: June 26, 2015

On June 18, 2015, the federal government’s National Institute of Standards and Technology (NIST) issued new data security guidance that will significantly affect those doing business with the government. In a publication titled “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” NIST provides the basis for future regulations on what practices “nonfederal” entities (such as government contractors) must adopt to adequately protect unclassified controlled technical information (UCTI) in connection with performing their government contracts.

NIST 800-171 focuses on minimum standards and best practices within fourteen “Security Requirement Families” necessary to protect UCTI:

  1. Access Control
  2. Awareness and Training
  3. Audit and Accountability
  4. Configuration Management
  5. Identification and Authentication
  6. Incident Response
  7. Maintenance
  8. Media Protection
  9. Personnel Security
  10. Physical Protection
  11. Risk Assessment
  12. Security Assessment
  13. System and Communications Protection
  14. System and Information Integrity

The publication provides detailed lists of basic and derived security requirements contractors need to employ to meet each of the fourteen standards. The publication extensively references a number of pre-existing policies for data security, particularly NIST Special Publication 800-53 and Federal Information Processing Standards (FIPS) Publication 200, and complements existing UCTI regulations promulgated by the General Services Administration and the Department of Defense. These policies and regulations – plus others not referenced – provide the guidance on minimum requirements and best practices for protecting data that the government entrusts to contractors. This piecemeal approach poses some risk for contractors who do not keep track of all of the applicable regulations and publications and reconcile them with one another to create a satisfactory cybercompliance plan.

While the government works to create more uniformity and clarity in this area – including a uniform FAR clause scheduled for release in 2016 – contractors need to stay in tune with the existing network of rules and standards to ensure that they continue to adequately protect UCTI and comply with their legal obligations to the government.

Contractors can get a start on compliance by:

  • Identifying whether they possess UCTI
  • Analyzing their current practices, systems and solutions for protecting that data and monitoring data security
  • Developing an effective incident response plan and implementing processes for responding to and mitigating the negative effects of security and data loss incidents

Contractors should also be aware of the various cybersecurity clauses in their contracts and ensure compliance with those requirements, including all agency notice requirements. Members of Thompson Hine’s Government Contracts group can help contractors with these assessments.


For more information, please contact:

Thomas F. Zych


This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgement of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.

This document may be considered attorney advertising in some jurisdictions.