Google Play icon

Filling the Gap: NIST Document to Protect Federal Information in Nonfederal Information Systems

Posted November 19, 2014

The National Institute of Standards and Technology (NIST) has published for public review draft recommendations to ensure the confidentiality of sensitive federal information residing on the computers of contractors and other nonfederal organizations working for the government.

Developed in collaboration with the National Archives and Records Administration (NARA), the guidance is intended for federal agencies, as called for in a 2010 Executive Order on the treatment of “Controlled Unclassified Information,” or CUI. The deadline for submitting comments on the draft document, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (Draft Special Publication 800-171),* is Jan. 16, 2015.

Executive Order 13556 assigned NARA the task of standardizing the way that the federal executive branch protects CUI. The order also required CUI to be protected consistent with “applicable Government-wide standards and guidelines issued by the National Institute of Standards and Technology, and applicable policies” of the Office of Management and Budget (OMB).

“Currently, different agencies address federal information on the systems of the contractors and other organizations engaged in federal activities, including colleges, universities and state, local and tribal governments in many different ways,” says Ron Ross, NIST Fellow and lead author of new guide.

As these organizations perform scientific research, conduct background investigations for security clearances, provide financial services, develop technology in support of federal agency missions, or engage in other work on behalf of the federal government, they may handle personally identifiable information, financial data, medical records and other sensitive data.

Because no consistent guidance exists for securing this “sensitive but unclassified” information on nonfederal information systems, “nonfederal organizations receive conflicting guidance from federal agencies on how to handle the same information, giving rise to confusion and inefficiencies,” says John Fitzpatrick, NARA’s director of Information Security Oversight Office.

NARA identified a three-step process to meet the Executive Order.

“First we defined categories of CUI that need to be protected with standardized procedures government-wide and have a proposed federal CUI rule now under OMB review,” says Fitzpatrick.

Now NARA is working with NIST on SP 800-171 to develop clear, consistent and substantive security requirements for CUI, based on the Federal Information Security Management Act. SP 800-171 includes security requirements and controls—primarily from NIST Federal Information Processing Standard 200 as well as SP 800-53—that have been tailored for nonfederal entities.

“This publication and NARA’s plan to have a single government-wide CUI directive, as well as our third step of developing a uniform Federal Acquisition Regulation clause to apply them, will bring clarity and consistency to the handling of CUI,” says Fitzpatrick.

The draft of Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations is available here. Comments may be submitted to [email protected].

*R. Ross, P. Viscuso, G. Guissanie, K. Dempsey and M. Riddle. Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. (NIST Draft Special Publication 800-171), November 2014.

Source: NIST

Featured news from related categories:

Technology Org App
Google Play icon
87,495 science & technology articles

Most Popular Articles

  1. An 18 carat gold nugget made of plastic (January 13, 2020)
  2. Anti Solar Cells: A Photovoltaic Cell That Works at Night (February 3, 2020)
  3. Toyota Raize is a new cool compact SUV that we will not see in this part of the world (November 24, 2019)
  4. Nuclear waste could be recycled for diamond battery power (January 21, 2020)
  5. Physicist Proposes a Testable Theory Stating that Information has Mass and could Account for Universe s Dark Matter (January 24, 2020)

Follow us

Facebook   Twitter   Pinterest   Tumblr   RSS   Newsletter via Email