The National Institute of Standards and Technology (NIST) is requesting final comments on its second (and final) draft of its guidelines to protecting “controlled unclassified information,” (CUI) or sensitive federal data that remains unclassified.
NIST composed the draft with the National Archives and Records Administration (NARA) in accordance with Executive Order 13556, which established the CUI program and designated NARA as the main entity to implement it, a NISA press release states. The deadline to comment is May 12, after which NIST will review the thoughts and put together its final document with an anticipated June release.
The groups' draft, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” is designed to help federal agencies protect CUI, in accordance with the Executive Order.
This final draft differs from the original in multiple ways, said Ron Ross, fellow at NIST and lead for the FISMA Implementation Project, in an interview with SCMagazine.com. In particular, the group added Appendices D and E, which look at the security requirements and provide mapping to appropriate NIST security controls.
The groups were also able to remove certain requirements because they could presume organizations with strong cyber security programs would already meet the standards.
For Ross, this final draft consolidated the groups' thoughts and recommendations into one document.
“This really gives you a good picture in a very succinct way about what requirements are now applying to federal organizations and which are not,” he said.
The document also further explains the CUI ruling and maps security requirements to security controls in NIST Special Publication (SP) 800-53 and the IS0/IEC 27001 standard that are the basis for multiple security programs.
These guidelines will especially help organizations, both private and federal, with the onslaught of data breaches that have compromised sensitive information, Ross said.