NIST Draft Guidance Seeks to Protect Sensitive Data in Hands of Contractors

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Nov. 20 — The National Institute of Standards and Technology Nov. 18 released draft guidance that aims to help federal government contractors and other nonfederal organizations working for the government protect sensitive federal information.

NIST developed the guidance in collaboration with the National Archives and Records Administration (NARA).

The guidance addresses how to protect “controlled unclassified information” (CUI), which the document defines as “information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and governmentwide policies, excluding information that is classified.” A 2010 executive order (Executive Order 13556) required that CUI be protected.

“Currently, different agencies address federal information on the systems of the contractors and other organizations engaged in federal activities, including colleges, universities and state, local and tribal governments in many different ways,” Ron Ross, NIST fellow and one of the guide's authors, said in a Nov. 18 statement by NIST.

There is no consistent guidance for protecting CUI on nonfederal information systems, NIST said. As a result, “nonfederal organizations receive conflicting guidance from federal agencies on how to handle the same information, giving rise to confusion and inefficiencies,” John Fitzpatrick, director of NARA's Information Security Oversight Office, said in NIST's statement.

Fitzpatrick said the Office of Management and Budget is reviewing a proposed federal CUI rule. In addition to the NIST publication and the proposed rule, NARA is developing a uniform Federal Acquisition Regulation clause to apply to CUI, he said.

Comments on the draft are due Jan. 16.

The draft “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (SP 800–171) is available at http://csrc.nist.gov/publications/drafts/800-171/sp800_171_draft.pdf.