July 2022

Pre-Draft Call for Comments: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations Date Published: July 19, 2022 Comments Due: September 16, 2022 Email Comments to: 800-171comments@list.nist.gov Announcement NIST plans to update the Controlled Unclassified Information (CUI) series of publications, starting with Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. To support this planned update, NIST is issuing this Pre-Draft Call for Comments to solicit feedback from interested parties to improve the publication and its supporting publications, SP 800-171A, SP 800-172, and SP 800-172A. SP 800-171 was published in June 2015 with minor updates in December 2016 and February 2020. Since the initial publication date, there have been significant changes in the cybersecurity threats, vulnerabilities, capabilities, technologies, and resources that impact the protection of CUI. In addition, there are the experiences of the organizations that have implemented SP 800-171 and its supporting publications. With these changes and opportunities to learn from implementers, NIST seeks feedback about the use, effectiveness, adequacy, and ongoing improvement of the CUI series. The following is a non-exhaustive list of topics that may be addressed in the call for comments. Comments may also include other topics related to the improvement of the CUI series. NIST will consider all relevant topics in the development of the revised SP 800-171 and its supporting publications. Use of the CUI Series How organizations are currently using the CUI series (SP 800-171, SP 800-171A, SP 800-172, and SP 800-172A) How organizations are currently using the CUI series with other frameworks and standards (e.g., NIST Risk Management Framework, NIST Cybersecurity Framework, GSA Federal Risk and Authorization Management Program [FedRAMP], DOD Cybersecurity Maturity Model Certification [CMMC], etc.) How to improve the alignment between the CUI series and other frameworks Benefits of using the CUI series Challenges in using the CUI series Updates for consistency with SP 800-53 Revision 5 and SP 800-53B Impact on the usability and existing organizational implementation (i.e., backward compatibility) of the CUI series if it were updated for consistency with SP 800-53 Revision 5 and the moderate security control baseline in SP 800-53B Updates to improve usability and implementation Features of the CUI series should be changed, added, or removed. Changes, additions, and removals can cover a broad range of topics, from consistency with other frameworks and standards to rescoping criteria for inclusion of requirements. For example: Addition of new resources to support implementation: The benefits and challenges of including an SP 800-53 Control Overlay[1] and/or a Cybersecurity Framework Profile Appendix as an alternative way to express the CUI security requirements. Change to the security requirement tailoring criteria: Impact of modifying the criteria used to tailor [2]the moderate SP 800-53B security control baseline (e.g., the potential inclusion of controls that are currently categorized as NFO – Expected to be routinely satisfied by nonfederal organizations without specification) Any additional ways in which NIST could improve the CUI series The comment period is open through September 16, 2022. Please submit comments to 800-171comments@list.nist.gov. Comments received in response to this request will be posted on the Protecting CUI project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed.

Department of Justice Office of Public Affairs FOR IMMEDIATE RELEASE Friday, July 8, 2022 Aerojet Rocketdyne Agrees to Pay $9 Million to Resolve False Claims Act Allegations of Cybersecurity Violations in Federal Government Contracts Aerojet Rocketdyne Inc., headquartered in El Segundo, California, has agreed to pay $9 million to resolve allegations that it violated the False Claims Act by misrepresenting its compliance with cybersecurity requirements in certain federal government contracts, the Justice Department announced today. Aerojet provides propulsion and power systems for launch vehicles, missiles and satellites and other space vehicles to the Department of Defense, NASA and other federal agencies. The settlement resolves a lawsuit filed and litigated by former Aerojet employee Brian Markus against Aerojet under the qui tam or whistleblower provisions of the False Claims Act, which permit a private party (known as a relator) to file a lawsuit on behalf of the United States and receive a portion of any recovery. Mr. Markus and Aerojet reached a settlement of the case on the second day of trial. Mr. Markus will receive $2.61 million as his share of the False Claims Act recovery. “Whistleblowers with inside information and technical expertise can provide crucial assistance in identifying knowing cybersecurity failures and misconduct,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division. “The qui tam action brought by Mr. Markus is an example of how whistleblowers can contribute to civil enforcement of cybersecurity requirements through the False Claims Act,” said U.S. Attorney Phillip A. Talbert for the Eastern District of California. On Oct. 6, 2021, the Deputy Attorney General announced the Department’s Civil Cyber-Fraud Initiative, which aims to hold accountable entities or individuals that put U.S information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches. Information on how to report cyber fraud can be found here. The qui tam case is captioned United States ex rel. Brian Markus v. Aerojet Rocketdyne Holdings Inc., et al., Case No. 2:15-cv-02245-WBS-AC (E.D.Cal.). The claims resolved by the settlement are allegations only and there has been no determination of liability. Topic(s):  False Claims Act Component(s):  Civil Division USAO – California, Eastern Press Release Number:  22-726 Updated July 8, 2022

In a memorandum dated June 16, 2022 the U.S. Department of Defense highlighted the ongoing risks for contractors that have not yet fully implemented National Institute of Standards and Technology Special Publication 800-171.[1] The memorandum reminds contracting officers of the numerous remedies available to the government if contractors do not comply with the Defense Federal Acquisition Regulation Supplement cybersecurity requirements. The DOD is unambiguously signaling that contractors cannot be complacent and wait until the Cybersecurity Maturity Model Certification, or CMMC, program is rolled out in 2023, but must act now to meet existing contract requirements to safeguard controlled unclassified information, or CUI, or face significant consequences. Contractors also must comply with assessment requirements to be eligible for awards of contracts involving CUI. A recent bid protest decision demonstrates that if agencies award to a contractor without a compliant assessment reported in a supplier performance risk system, that is grounds for protest. The DOD is under pressure to address cybersecurity threats and will not accept the status quo from contractors while the CMMC program comes together. Contractors required to comply with NIST SP 800-171 because of a contract involving CUI and containing 252.204-7012 should take heed and ensure they have compliant system security plans and POAMs in place and can show progress toward implementing controls that are unimplemented or partially implemented to avoid the risk of contract remedies for noncompliance. Failure to comply with 800-171 and accurately report implementation status or to monitor and report cybersecurity incidents and breaches may also constitute a civil False Claims Act violation.[8] Contractors should confirm that summary scores and other details of their DOD NIST SP 800-171 assessments are posted in the supplier performance risk system to ensure that the lack of such scores does not present an obstacle to award of any contract. Cybersecurity requirements for government contractors are continually evolving, but contractors need to take steps now to ensure they are meeting their contractual obligations.

DoD Defense Industrial Base Cybersecurity Update With over 80% of DoD contractors not yet registered with SPRS it is essential that you understand the severity of not meeting these requirements. According to the existing schedule we are less than a year away from CMMC requirements. We have partnered with PreVeil and ComplyUp to assist you in quickly implementing, monitoring and demonstrating your commitment to CMMC. Please contact us at gordon.bruce@gjbandassociates.com for more information on how to jumpstart your compliance journey.