The National Institute of Standards and Technology (NIST) has published guidance to help federal agencies ensure that sensitive government data stored by contractors remains confidential.
Back in April, NIST requested comments on the final draft of the guidelines to protect “controlled unclassified information,” denoted as “CUI” in the guidance. On Friday, the final draft was published following the comment period.
The 76-page guidance (PDF) provides agencies with recommended requirements for protecting the confidentiality of CUI in three instances: when CUI is “resident in nonfederal information systems and organizations; when the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies;” and “when there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry.”
The guidance specified that the requirements apply to “all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components.”
Chapter three of the guidance breaks the aforementioned security requirements into 14 families, including access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, and security assessment. “System and communications protection” as well as “system and information integrity” were also among the requirements.
In a Friday press release, NIST explained that the new guidelines were crafted for federal workers with responsibilities for information systems development, acquisition, management and protection – and that the guidance was “drawn from existing computer security requirements for federal information systems found in two of NIST's foundational information security documents”: the Security and Privacy Controls for Federal Information Systems and Organizations (NIST SP 800-53) and the Federal Information Processing Standard (FIPS 200).
In Monday email correspondence with SCMagazine.com, NIST fellow Ron Ross adds: “We hope that presenting a consistent set of security requirements to protect the confidentiality of Controlled Unclassified Information will benefit both federal agencies and all of the nonfederal organizations that partner with the federal government to help us carry out our critical missions and business functions.”