Information Security

New NIST guidance planned as part of federal info policy

file folders on a background with binary code

(Image: Shutterstock)

Government officials can get ready to toss out their "For Official Use Only" stamps under a pending rule that would standardize how the government marks and stores information that is deemed sensitive but is not classified.

The National Archives and Records Administration is leading the charge for a new policy on controlled unclassified information (CUI) designed to replace the more than 100 ad hoc system maintained by agencies across government to control – critics say over-control -- information.

In consultation with more than 150 government entities, NARA has come up with a list of 22 categories and 85 subcategories that are considered CUI under the law. These include copyright and patent information, personally identifiable information, raw census data, intelligence and law enforcement data, and information systems vulnerabilities. These are maintained in NARA's CUI Registry. A proposed rule expected to be put out for comment in the Federal Register in August will established uniform policies for the safeguarding, sharing, marking and release of CUI.

New policy will also clarify the relationship between CUI safeguards and decisions to consider documents ineligible for release under the Freedom of Information Act. This will build on existing NARA guidance says that, "CUI markings and designations should not be associated with or paired to FOIA exemptions and should not be used as a basis for applying a FOIA exception."

The NARA effort, though supported by President Barack Obama's Executive Order 13556, lacks a dedicated funding source, and compliance with any IT requirements on the agency side will have to be made in the context of an agency's overall acquisition plan. The rules on CUI "will slipstream through standards that already exist, rather than create parallel or conflicting sets of definition and practices,' said John Fitzpatrick, director of the Information Security Oversight Office at NARA, in a presentation at a June 12 meeting of the National Institute for Standards and Technology's Information Security and Privacy Advisory Board.

Under the planned NARA rule, government agencies hosting CUI in their systems would be directed to adhere to the FISMA moderate standard. Fitzpatrick said that about 80 percent of covered systems already adhere to that standard. "For the other 20 percent, it is going to cause work, but it does not portend a big shift across government," Fitzpatrick said.

NARA is leaning on NIST to push out standards for contractors who hold federal CUI in their systems. This has been a gray area from a regulatory point of view, noted Ron Ross, computer scientist and NIST fellow who leads efforts to propagate security standards for federal and contractor IT systems. The pending NIST guidance is as yet untitled, but was just awarded its own special publication number -- 800.171 -- signifying its importance.

"This is another niche that has not been covered yet. There is the potential for CUI to end up in contractors' organizations that are totally uncovered" by FISMA standards, said Ross. The NIST guidance is being prepared in conjunction with a change to the Federal Acquisition Regulation that would put CUI protection requirements in federal contracts.

NIST has "volunteered to take the arrows as we go through the public vetting process," Ross said. If recent changes to the defense acquisition rules covering unclassified controlled technical information are any indication, Ross said, "we have some rough sledding ahead."

The NIST guidance is planned to be released in fiscal 2015 in order to provide a point of reference for a FAR rule change, planned for fiscal 2016. The CUI rule is expected to be finalized and in effect by April 2015, with full implementation phased in across all agencies in fiscal 2019.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy, health IT and the Department of Veterans Affairs. Prior to joining FCW, Mr. Mazmanian was technology correspondent for National Journal and served in a variety of editorial at B2B news service SmartBrief. Mazmanian started his career as an arts reporter and critic, and has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, Architect magazine, and other publications. He was an editorial assistant and staff writer at the now-defunct New York Press and arts editor at the online network in the 1990s, and was a weekly contributor of music and film reviews to the Washington Times from 2007 to 2014.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group