Google Play icon

Filling the Gap: NIST Document to Protect Federal Information in Nonfederal Information Systems

Share
Posted November 19, 2014

The National Institute of Standards and Technology (NIST) has published for public review draft recommendations to ensure the confidentiality of sensitive federal information residing on the computers of contractors and other nonfederal organizations working for the government.

Developed in collaboration with the National Archives and Records Administration (NARA), the guidance is intended for federal agencies, as called for in a 2010 Executive Order on the treatment of “Controlled Unclassified Information,” or CUI. The deadline for submitting comments on the draft document, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (Draft Special Publication 800-171),* is Jan. 16, 2015.

Executive Order 13556 assigned NARA the task of standardizing the way that the federal executive branch protects CUI. The order also required CUI to be protected consistent with “applicable Government-wide standards and guidelines issued by the National Institute of Standards and Technology, and applicable policies” of the Office of Management and Budget (OMB).

“Currently, different agencies address federal information on the systems of the contractors and other organizations engaged in federal activities, including colleges, universities and state, local and tribal governments in many different ways,” says Ron Ross, NIST Fellow and lead author of new guide.

As these organizations perform scientific research, conduct background investigations for security clearances, provide financial services, develop technology in support of federal agency missions, or engage in other work on behalf of the federal government, they may handle personally identifiable information, financial data, medical records and other sensitive data.

Because no consistent guidance exists for securing this “sensitive but unclassified” information on nonfederal information systems, “nonfederal organizations receive conflicting guidance from federal agencies on how to handle the same information, giving rise to confusion and inefficiencies,” says John Fitzpatrick, NARA’s director of Information Security Oversight Office.

NARA identified a three-step process to meet the Executive Order.

“First we defined categories of CUI that need to be protected with standardized procedures government-wide and have a proposed federal CUI rule now under OMB review,” says Fitzpatrick.

Now NARA is working with NIST on SP 800-171 to develop clear, consistent and substantive security requirements for CUI, based on the Federal Information Security Management Act. SP 800-171 includes security requirements and controls—primarily from NIST Federal Information Processing Standard 200 as well as SP 800-53—that have been tailored for nonfederal entities.

“This publication and NARA’s plan to have a single government-wide CUI directive, as well as our third step of developing a uniform Federal Acquisition Regulation clause to apply them, will bring clarity and consistency to the handling of CUI,” says Fitzpatrick.

The draft of Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations is available here. Comments may be submitted to [email protected].

*R. Ross, P. Viscuso, G. Guissanie, K. Dempsey and M. Riddle. Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. (NIST Draft Special Publication 800-171), November 2014.

Source: NIST

Featured news from related categories:

Technology Org App
Google Play icon
85,465 science & technology articles

Most Popular Articles

  1. New treatment may reverse celiac disease (October 22, 2019)
  2. "Helical Engine" Proposed by NASA Engineer could Reach 99% the Speed of Light. But could it, really? (October 17, 2019)
  3. The World's Energy Storage Powerhouse (November 1, 2019)
  4. Plastic waste may be headed for the microwave (October 18, 2019)
  5. Universe is a Sphere and Not Flat After All According to a New Research (November 7, 2019)

Follow us

Facebook   Twitter   Pinterest   Tumblr   RSS   Newsletter via Email