Information Security

New NIST guidance planned as part of federal info policy

file folders on a background with binary code

(Image: Shutterstock)

Government officials can get ready to toss out their "For Official Use Only" stamps under a pending rule that would standardize how the government marks and stores information that is deemed sensitive but is not classified.

The National Archives and Records Administration is leading the charge for a new policy on controlled unclassified information (CUI) designed to replace the more than 100 ad hoc system maintained by agencies across government to control – critics say over-control -- information.

In consultation with more than 150 government entities, NARA has come up with a list of 22 categories and 85 subcategories that are considered CUI under the law. These include copyright and patent information, personally identifiable information, raw census data, intelligence and law enforcement data, and information systems vulnerabilities. These are maintained in NARA's CUI Registry. A proposed rule expected to be put out for comment in the Federal Register in August will established uniform policies for the safeguarding, sharing, marking and release of CUI.

New policy will also clarify the relationship between CUI safeguards and decisions to consider documents ineligible for release under the Freedom of Information Act. This will build on existing NARA guidance says that, "CUI markings and designations should not be associated with or paired to FOIA exemptions and should not be used as a basis for applying a FOIA exception."

The NARA effort, though supported by President Barack Obama's Executive Order 13556, lacks a dedicated funding source, and compliance with any IT requirements on the agency side will have to be made in the context of an agency's overall acquisition plan. The rules on CUI "will slipstream through standards that already exist, rather than create parallel or conflicting sets of definition and practices,' said John Fitzpatrick, director of the Information Security Oversight Office at NARA, in a presentation at a June 12 meeting of the National Institute for Standards and Technology's Information Security and Privacy Advisory Board.

Under the planned NARA rule, government agencies hosting CUI in their systems would be directed to adhere to the FISMA moderate standard. Fitzpatrick said that about 80 percent of covered systems already adhere to that standard. "For the other 20 percent, it is going to cause work, but it does not portend a big shift across government," Fitzpatrick said.

NARA is leaning on NIST to push out standards for contractors who hold federal CUI in their systems. This has been a gray area from a regulatory point of view, noted Ron Ross, computer scientist and NIST fellow who leads efforts to propagate security standards for federal and contractor IT systems. The pending NIST guidance is as yet untitled, but was just awarded its own special publication number -- 800.171 -- signifying its importance.

"This is another niche that has not been covered yet. There is the potential for CUI to end up in contractors' organizations that are totally uncovered" by FISMA standards, said Ross. The NIST guidance is being prepared in conjunction with a change to the Federal Acquisition Regulation that would put CUI protection requirements in federal contracts.

NIST has "volunteered to take the arrows as we go through the public vetting process," Ross said. If recent changes to the defense acquisition rules covering unclassified controlled technical information are any indication, Ross said, "we have some rough sledding ahead."

The NIST guidance is planned to be released in fiscal 2015 in order to provide a point of reference for a FAR rule change, planned for fiscal 2016. The CUI rule is expected to be finalized and in effect by April 2015, with full implementation phased in across all agencies in fiscal 2019.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy, health IT and the Department of Veterans Affairs. Prior to joining FCW, Mr. Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian started his career as an arts reporter and critic, and has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, Architect magazine, and other publications. He was an editorial assistant and staff writer at the now-defunct New York Press and arts editor at the online network in the 1990s, and was a weekly contributor of music and film reviews to the Washington Times from 2007 to 2014.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group