There's a requirement for any United States Government entity or contractor working with "Controlled Unclassified Information" to maintain and protect that data using NIST SP 800-171 at minimum. This includes encryption requirements that must meet or exceed FIPS 140-2. USG has been slowly educating USG Contracting Officers, prime contractors and subcontractors about the new requirements, and thus where there are new contracts (especially for the US DoD) there are new FARS/DFARS mandates. As we end 2018, Most DoD contracts now include DoD DFARS 252.204-7012 (OCT 2016). The DoD has already started supplier "NIST SP 800-171 audits" to see how compliance really is coming along.

So where this FIPS 140-2 encryption requirement used to be only inside USG or prime DoD, you will find it is creeping out into Universities, second/third tier contracting agencies, etc. Wherever CUI data is stored or moved, we need proof of FIPS 140-2 validated encryption - not just best industry practice encryption. The Windows 10 pro/enterprise clients do offer some help here with FIPS options, but we would like to manage it in ZENworks just as we would ZENWorks Full Disk Encryption if possible...

References for those USA based entities or foreign entities who contract with the USG;

Search for your favorite companies and product modules here (some of our favorites have not renewed for quite some time. Hmmm...);
NIST FIPS 140-2, Cryptographic Module Validation Program - Validated Modules Search
https://csrc.nist.gov/projects/cryptographic-module-validation-program/module-validation-lists

National Archives, Controlled Unclassified Information (CUI) Category List
https://www.archives.gov/cui/registry/category-list

FAR 52.204-21: Basic Safeguarding of Covered Contractor Information Systems.
https://www.acquisition.gov/sites/default/files/current/far/html/52_200_206.html#wp1155195

DoD DFARS 252.204-7012 (OCT 2016) Safeguarding Covered Defense Information and Cyber Incident Reporting.
https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012

DoD DPAP (NOV 2018) Guidance for Assessing Compliance and Enhancing Protections Required by DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.
https://www.acq.osd.mil/dpap/pdi/cyber/guidance_for_assessing_compliance_and_enhancing_protections.html

NIST SP 800-171 Rev. 1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final

NIST SP 800-171A Rev. 1, Assessing Security Requirements for Controlled Unclassified Information
https://csrc.nist.gov/publications/detail/sp/800-171a/final

NIST Handbook 162 November 2017, NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements
https://www.nist.gov/publications/nist-mep-cybersecurity-self-assessment-handbook-assessing-nist-sp-800-171-security

Comments