Information Security

New NIST guidance planned as part of federal info policy

file folders on a background with binary code

(Image: Shutterstock)

Government officials can get ready to toss out their "For Official Use Only" stamps under a pending rule that would standardize how the government marks and stores information that is deemed sensitive but is not classified.

The National Archives and Records Administration is leading the charge for a new policy on controlled unclassified information (CUI) designed to replace the more than 100 ad hoc system maintained by agencies across government to control – critics say over-control -- information.

In consultation with more than 150 government entities, NARA has come up with a list of 22 categories and 85 subcategories that are considered CUI under the law. These include copyright and patent information, personally identifiable information, raw census data, intelligence and law enforcement data, and information systems vulnerabilities. These are maintained in NARA's CUI Registry. A proposed rule expected to be put out for comment in the Federal Register in August will established uniform policies for the safeguarding, sharing, marking and release of CUI.

New policy will also clarify the relationship between CUI safeguards and decisions to consider documents ineligible for release under the Freedom of Information Act. This will build on existing NARA guidance says that, "CUI markings and designations should not be associated with or paired to FOIA exemptions and should not be used as a basis for applying a FOIA exception."

The NARA effort, though supported by President Barack Obama's Executive Order 13556, lacks a dedicated funding source, and compliance with any IT requirements on the agency side will have to be made in the context of an agency's overall acquisition plan. The rules on CUI "will slipstream through standards that already exist, rather than create parallel or conflicting sets of definition and practices,' said John Fitzpatrick, director of the Information Security Oversight Office at NARA, in a presentation at a June 12 meeting of the National Institute for Standards and Technology's Information Security and Privacy Advisory Board.

Under the planned NARA rule, government agencies hosting CUI in their systems would be directed to adhere to the FISMA moderate standard. Fitzpatrick said that about 80 percent of covered systems already adhere to that standard. "For the other 20 percent, it is going to cause work, but it does not portend a big shift across government," Fitzpatrick said.

NARA is leaning on NIST to push out standards for contractors who hold federal CUI in their systems. This has been a gray area from a regulatory point of view, noted Ron Ross, computer scientist and NIST fellow who leads efforts to propagate security standards for federal and contractor IT systems. The pending NIST guidance is as yet untitled, but was just awarded its own special publication number -- 800.171 -- signifying its importance.

"This is another niche that has not been covered yet. There is the potential for CUI to end up in contractors' organizations that are totally uncovered" by FISMA standards, said Ross. The NIST guidance is being prepared in conjunction with a change to the Federal Acquisition Regulation that would put CUI protection requirements in federal contracts.

NIST has "volunteered to take the arrows as we go through the public vetting process," Ross said. If recent changes to the defense acquisition rules covering unclassified controlled technical information are any indication, Ross said, "we have some rough sledding ahead."

The NIST guidance is planned to be released in fiscal 2015 in order to provide a point of reference for a FAR rule change, planned for fiscal 2016. The CUI rule is expected to be finalized and in effect by April 2015, with full implementation phased in across all agencies in fiscal 2019.

About the Author

Adam Mazmanian is FCW's senior staff writer, and covers Congress, health IT and governmentwide IT policy. Connect with him on Twitter: @thisismaz.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.


  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above