The National Institute of Standards and Technology (NIST) is requesting comments on the second and final draft of a guidance document for federal agencies on protecting the confidentiality of sensitive federal information when such information resides in nonfederal information systems and organizations. This draft contains significant changes from the original draft, which was issued in November 2014.*
Executive Order 13556 established the Controlled Unclassified Information (CUI) Program to standardize the way the executive branch handles unclassified information that requires protection, and designated the National Archives and Records Administration (NARA) to implement that program.
As part of this implementation, NARA is seeking to develop a standardized, government-wide approach for protection of CUI when nonfederal organizations are in possession of this information. Nonfederal organizations include, for example, contractors, state and local governments, and colleges and universities.
The protection of CUI is critical to the national and economic security interests of the United States. The CUI Registry, managed by NARA, contains an extensive list of CUI categories and subcategories that are the exclusive designations for information throughout the executive branch requiring controls based on law, regulations or government-wide policies. Some examples of CUI Registry categories are critical infrastructure, emergency management, financial, intelligence, law enforcement, patent and privacy.
NIST and NARA joined forces in 2014 to write Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.** The publication provides federal agencies with guidance on how to protect the confidentiality of CUI consistent with law, regulation or government-wide policy. It is meant for federal employees with responsibilities for information systems development, acquisition, management and protection.
The changes in the final public draft are based on comments received from both the public and private sectors. In particular, the final draft:
Comments on the final public draft of Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations should be sent to sec-cert [at] nist.gov by May 12, 2015. The publication is available at: http://csrc.nist.gov/publications/PubsDrafts.html#800-171.
* See the November 2014 NIST Tech Beat story, "Filling the Gap: NIST Document to Protect Federal Information in Nonfederal Information Systems."
** R. Ross, P. Viscuso, G. Guissanie, K. Dempsey and M.Riddle. Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. (NIST Final Public Draft Special Publication 800-171),April, 2015.