The National Institute of Standards and Technology (NIST) issued on Nov. 18 draft recommendations designed to protect sensitive federal information residing on the computers of contractors and other nonfederal organizations working for the government. The recommendations were developed in collaboration with the National Archives and Records Administration (NARA), which, as part of Executive Order 13556, was assigned the task of standardizing the way the federal executive branch protects controlled unclassified information (CUI).
Executive Order 13556, issued in Nov. 2010, defines CUI as information that involves, among other things, privacy, security, proprietary business interests, and law enforcement investigations.
“At present, executive departments and agencies employ ad hoc, agency-specific policies, procedures, and markings to safeguard and control this information, such as information that involves privacy, security, proprietary business interests, and law enforcement investigations,” the executive order notes. “This inefficient, confusing patchwork has resulted in inconsistent marking and safeguarding of documents, led to unclear or unnecessarily restrictive dissemination policies, and created impediments to authorized information sharing.”
The guidance issued by NIST provides federal agencies with recommended requirements for protecting the confidentiality of CUI when such information resides in nonfederal information systems and organizations. The requirements apply to nonfederal information systems that are beyond the scope of the systems covered by the Federal Information Security Management Act and all components of nonfederal systems that process, store, or transmit CUI.
“Currently, different agencies address federal information on the systems of the contractors and other organizations engaged in federal activities, including colleges, universities and state, local and tribal governments in many different ways,” Ron Ross, NIST fellow and one of the guide's authors, said in a Nov. 18 statement.
Without a consistent framework for securing CUI, “nonfederal organizations receive conflicting guidance from federal agencies on how to handle the same information, giving rise to confusion and inefficiencies,” said John Fitzpatrick, NARA’s director of Information Security Oversight Office.
According to Fitzpatrick, NARA’s process for meeting the requirements of the executive order included defining categories of CUI that need to be protected with standardized procedures and working with NIST to develop clear, consistent, and substantive security requirements for CUI. In addition, NARA is developing a uniform Federal Acquisition Regulation clause to bring clarity and consistency to the handling of CUI.
NIST is seeking input on the draft guidance from interested stakeholders. Comments are due by Jan. 16, 2015, to firstname.lastname@example.org.