Effective December 31, 2017, before applying for and accepting a contract award from the U.S. Department of Defense (DoD), authorized officials at the University of Houston must self-attest to compliance with Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, which requires the implementation of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-17 information security standards to safeguard systems and networks that process, store, or transmit covered defense information. In addition, prior to October 1, 2017, the University should notify the DoD CIO of any requirements of NIST SP 800-171 that are not implemented at the time a contract is awarded.
Controlled Unclassified Information (CUI)
Covered defense information as it relates to Department of Defense Awards is Controlled Unclassified Information (CUI). This is information the government creates or possesses or the university creates or possesses on behalf of the government to which access or distribution controls have been applied in accordance with laws, regulations or Government-wide policies. CUI does not include classified information nor information the university possesses and maintains in its own systems that did not come from, nor was created or possessed by or for a Government agency. A full list of information types (categories & subcategories) is available at the CUI Registry of the National Archives.
DFAR 252.204-7012 - Safeguarding Covered Defense Information and Cyber Incident Reporting
This regulation requires PIs contractors to provide adequate security to safeguard covered information that is processed, stored, or transmitted on its internal information systems or network by using NIST SP 800-171 as the performance-based standard to ensure compliance with the regulation. Contractors must also flow down this requirement to all subcontractors.
National Institute of Standards & Technology (NIST) standards - Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations
This publication details the mandatory controls for both federal and non-federal agencies, including requirements governing policy, process, and secure IT configuration. The mapping table in Appendix D of NIST SP 800-171 maps each requirement to the relevant security controls, and although there are 110 security requirements, these can be grouped into the fourteen categories outlined in the table at the link provided.
Meeting the NIST Information Technology standard – the University Framework
There are multiple components required for compliance with the NIST standards. The university is defining the framework for institutional compliance with the standards through the implementation of the following:
First, the regulation allows the contractor to self-attest to compliance if it can demonstrate implementation or planned implementation of the security requirements with a system security plan and associated plans of action documentation. The university is developing these documents which will be provided to the PIs.
- System security plan (Security requirement 3.12.4) - A document that is periodically updated to describe system boundaries, system environments of operation, how security requirements are implemented and the relationships with or connections to other systems. Federal agencies may consider the University’s system security plan and plans of action as critical inputs to the evaluation factor in the contract selection process. How and if this will be used in the proposal evaluation must be stated in the solicitation.
- Plans of Action (Security Requirement 3.12.2) - A document used to describe individual, isolated, or temporary deficiencies and the management plan designed to correct the deficiencies and reduce or eliminate vulnerabilities in the University’s systems utilized by the researcher.
Next, to address infrastructure requirements, the university is identifying a third-party NIST compliant vendor, such as Amazon Web Services, Microsoft Azure Gov Cloud, etc., to satisfy this requirement. To be compliant with the standards, PIs will be responsible for contracting with the identified vendor.
Research Administration Process and Procedure
In order to submit, certify and accept DOD awards with this requirement, the Office of Contracts and Grants and College research administrators will work with individual PIs to ensure smooth implementation and transition.
- Office of Contracts and Grants Pre-Award - At the proposal stage, the Pre-Award team will identify contracts with this requirement through solicitation review. Once identified the team will work with the PI to provide awareness and training. The PI will have an opportunity to review the NIST compliant vendor service specifications to provide an opportunity to include the cost to meet the requirements within the proposal budget.. According to the DOD Chief Information Officer, the solicitation may require or allow elements of the system security plan, which demonstrate implementation of NIST SP 800-171, to be included with the proposal. Ultimately, by submitting a proposal with this requirement, the university is representing its compliance.
- OCG Post-Award - At the award stage, the Contract Officer will work with the PI to setup and sign a Technology Control Plan (TCP) that outlines the policies and defines specific responsibilities for securing the information. Before awarded funds can be released, the PI(s) must review and sign the plan certifying that that he/she is aware of the IT systems in place, the applicable UH policies and procedures and his/her responsibilities to protect the CUI.
For other awards with the Federal Acquisition Regulation (FAR) clauses listed below that do not specify NIST standards but require the safeguarding of CUI, an individual TCP will be required as well as the use of a third party NIST compliant environment to secure the information.
- 52.204-21 Basic Safeguarding of Covered Contractor Information Systems
- 252.204-7008 Compliance with safeguarding covered defense information controls
- 252.204-7012 Safeguarding covered defense information and cyber incident reporting