The National Institute of Standards and Technology (NIST) has published for public review draft recommendations to ensure the confidentiality of sensitive federal information residing on the computers of contractors and other nonfederal organizations working for the government.
Developed in collaboration with the National Archives and Records Administration (NARA), the guidance is intended for federal agencies, as called for in a 2010 Executive Order on the treatment of "Controlled Unclassified Information," or CUI. The deadline for submitting comments on the draft document, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (Draft Special Publication 800-171),* is Jan. 16, 2015.
Executive Order 13556 assigned NARA the task of standardizing the way that the federal executive branch protects CUI. The order also required CUI to be protected consistent with "applicable Government-wide standards and guidelines issued by the National Institute of Standards and Technology, and applicable policies" of the Office of Management and Budget (OMB).
"Currently, different agencies address federal information on the systems of the contractors and other organizations engaged in federal activities, including colleges, universities and state, local and tribal governments in many different ways," says Ron Ross, NIST Fellow and lead author of new guide.
As these organizations perform scientific research, conduct background investigations for security clearances, provide financial services, develop technology in support of federal agency missions, or engage in other work on behalf of the federal government, they may handle personally identifiable information, financial data, medical records and other sensitive data.
Because no consistent guidance exists for securing this "sensitive but unclassified" information on nonfederal information systems, "nonfederal organizations receive conflicting guidance from federal agencies on how to handle the same information, giving rise to confusion and inefficiencies," says John Fitzpatrick, NARA's director of Information Security Oversight Office.
NARA identified a three-step process to meet the Executive Order.
"First we defined categories of CUI that need to be protected with standardized procedures government-wide and have a proposed federal CUI rule now under OMB review," says Fitzpatrick.
Now NARA is working with NIST on SP 800-171 to develop clear, consistent and substantive security requirements for CUI, based on the Federal Information Security Management Act. SP 800-171 includes security requirements and controls—primarily from NIST Federal Information Processing Standard 200 as well as SP 800-53—that have been tailored for nonfederal entities.
"This publication and NARA's plan to have a single government-wide CUI directive, as well as our third step of developing a uniform Federal Acquisition Regulation clause to apply them, will bring clarity and consistency to the handling of CUI," says Fitzpatrick.
The draft of Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations is available at http://csrc.nist.gov/publications/PubsDrafts.html#800-171. Comments may be submitted to sec-cert [at] nist.gov.
*R. Ross, P. Viscuso, G. Guissanie, K. Dempsey and M. Riddle. Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. (NIST Draft Special Publication 800-171), November 2014.