The National Institute of Standards and Technology (NIST) is requesting comments on the second and final draft of a guidance document for federal agencies on protecting the confidentiality of sensitive federal information when such information resides in nonfederal information systems and organizations. This draft contains significant changes from the original draft, which was issued in November 2014.*
Executive Order 13556 established the Controlled Unclassified Information (CUI) Program to standardize the way the executive branch handles unclassified information that requires protection, and designated the National Archives and Records Administration (NARA) to implement that program.
As part of this implementation, NARA is seeking to develop a standardized, government-wide approach for protection of CUI when nonfederal organizations are in possession of this information. Nonfederal organizations include, for example, contractors, state and local governments, and colleges and universities.
The protection of CUI is critical to the national and economic security interests of the United States. The CUI Registry, managed by NARA, contains an extensive list of CUI categories and subcategories that are the exclusive designations for information throughout the executive branch requiring controls based on law, regulations or government-wide policies. Some examples of CUI Registry categories are critical infrastructure, emergency management, financial, intelligence, law enforcement, patent and privacy.
NIST and NARA joined forces in 2014 to write Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.** The publication provides federal agencies with guidance on how to protect the confidentiality of CUI consistent with law, regulation or government-wide policy. It is meant for federal employees with responsibilities for information systems development, acquisition, management and protection.
The changes in the final public draft are based on comments received from both the public and private sectors. In particular, the final draft:
- Clarifies the publication's purpose, scope and applicability, and defines underlying assumptions and expectations in applying the recommended CUI security requirements;
- Explains how the publication relates to the CUI federal rule and the planned Federal Acquisition Regulation clause that NARA will sponsor next year;
- Adjusts the CUI security requirements to ensure complete coverage and traceability to federal policies, standards and guidance;
- Provides tables that map CUI security requirements to security controls in NIST Special Publication (SP) 800-53 and the IS0/IEC 27001 standard that are the basis for many computer security programs;
- Provides additional tables that illustrate how the moderate security control baseline in the federal government's foundational computer security document, NIST SP 800-53, was tailored to handle CUI in nonfederal systems and organizations; and
- Adds guidance on use of the mapping tables to support those nonfederal organizations that are implementing the NIST Framework for Improving Critical Infrastructure Cybersecurity.
Comments on the final public draft of Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations should be sent to email@example.com by May 12, 2015. The publication is available at: http://csrc.nist.gov/publications/PubsDrafts.html#800-171.
* See the November 2014 NIST Tech Beat story, "Filling the Gap: NIST Document to Protect Federal Information in Nonfederal Information Systems."
** R. Ross, P. Viscuso, G. Guissanie, K. Dempsey and M.Riddle. Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. (NIST Final Public Draft Special Publication 800-171),April, 2015.