In an effort to strengthen cybersecurity across the federal government, the National Institute of Standards and Technology (NIST), in collaboration with the National Archives and Records Administration (NARA), issued final guidance on protecting sensitive federal information on nonfederal information systems.
The guidance was initiated by Executive Order 13556, which was signed by President Obama in November 2010. It directed NARA to establish and implement the Controlled Unclassified Information (CUI) Program to standardize the way the executive branch handles unclassified information that requires protection. The program addresses deficiencies in managing and protecting unclassified information to include inconsistent markings, inadequate safeguarding, and needless restrictions, both by standardizing procedures and by providing common definitions through a CUI registry.
In November 2011, NARA established the publically available registry to reflect the initial categories and subcategories of unclassified information that require dissemination or safeguarding controls. Some examples of CUI registry categories are critical infrastructure, emergency management, financial, intelligence, law enforcement, patent, and privacy.
As part of the implementation, NARA collaborated with NIST to develop a standardized, government-wide approach for protection of CUI when nonfederal organizations – such as contractors, state and local governments, and colleges and universities – are in possession of this information.
“The new guidelines are designed for federal employees with responsibilities for information systems development, acquisition, management and protection,” NIST noted in a June 19 press release. “The requirements apply to all components of nonfederal information systems and organizations that process, store or transmit CUI, or provide security protection for those components.”
The guidance is targeted to a diverse group of individuals in the public and private sectors, including those with responsibilities for information system development; acquisition or procurement; information system, security, and/or risk management and oversight; and information security assessment and monitoring.
According to the guidance, it is anticipated that NARA will establish a single Federal Acquisition Regulation (FAR) clause in 2016 to apply the requirements of the final guidance to contractors and determine oversight responsibilities and requirements. NARA will also address its oversight of federal agencies through the uniform CUI FAR clause, future understandings, and any agreements between federal agencies and their nonfederal information-sharing partners.