The National Institute of Standards and Technology (NIST) has published the final version of its guidance for federal agencies to ensure that sensitive federal information remains confidential when stored in nonfederal information systems and organizations.
Contractors routinely process, store and transmit sensitive federal information to assist federal agencies in carrying out their core missions and business operations. Federal information is also shared with state and local governments, universities and independent research organizations.
To keep this information secure, Executive Order 13556 established the Controlled Unclassified Information (CUI) Program to standardize the way the executive branch handles unclassified information that requires protection, such as personally identifiable information. The National Archives and Records Administration (NARA)administers the program. Information that qualifies as "controlled unclassified information" is defined by NARA in the CUI Registry, an extensive list of executive branch information that requires controls based on laws, regulations or government-wide policies.
To develop guidelines for protecting this information, NARA worked with NIST, the government's source for computer security standards and guidelines.
The two organizations jointly drafted guidelines for protecting CUI on information systems outside the immediate control of the federal government and published them for public comment last fall.
The new document, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (NIST Special Publication 800-171), is the final version of those guidelines.
The publication provides federal agencies with recommended requirements to protect the confidentiality of CUI residing in nonfederal systems and organizations consistent with law, regulation or government-wide policy.
The new guidelines are designed for federal employees with responsibilities for information systems development, acquisition, management and protection. The requirements apply to all components of nonfederal information systems and organizations that process, store or transmit CUI, or provide security protection for those components.
The guidelines are drawn from existing computer security requirements for federal information systems found in two of NIST's foundational information security documents: Federal Information Processing Standard (FIPS)200 and the Security and Privacy Controls for Federal Information Systems and Organizations (NIST SP 800-53).
"NIST SP 800-171 is critical to our strategy to strengthen needed protections for CUI," says John Fitzpatrick, director of NARA's Information Security Oversight Office. "Together with NARA's recently-proposed CUI regulation and a planned Federal Acquisition Regulation clause, we will bring clarity and consistency to the handling of CUI across government."