NIST, NARA move to secure federal data on outside systems

concept cybersecurity art

The National Institute of Standards and Technology has new recommendations for securing sensitive data on IT systems at companies that work for the government. The draft standards, released Nov. 18, are aimed at contractors and other nonfederal organizations that store federal controlled but unclassified information (CUI) in the course of their work.

Ron Ross, a NIST fellow and the lead author of the new guide, discussed the proposed guidelines at a Nov. 19 FCW cybersecurity event. Federal contractors; state, local and tribal governments; colleges and universities all use and store federal data in a variety of ways, he said. Those groups perform scientific research, conduct background investigations for security clearances, provide financial services, develop technology in support of federal agency missions, and engage in other work on behalf of the federal government. 

The data involved can include personally identifiable information, financial data, medical records, technical drawings and other sensitive data. A federal CUI registry outlines 22 top-level categories of data, with subcategories covering everything from electronic fund transfers to source selection in the procurement process.

The new document, Draft Special Publication 800-171, declares that protection of this data on nonfederal systems "is of paramount importance to federal agencies -- and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations."

NIST said the draft was developed in collaboration with the National Archives and Records Administration (NARA) and responds to a 2010 executive order that calls for government-wide standards on the treatment of CUI. The ultimate goal, Ross said, is to ensure that the statutory and regulatory requirements for protecting CUI are consistent, regardless of whether the data resides in federal or nonfederal information systems.

Currently, Ross said, nonfederal organizations must try to meet a wide range of contract clauses, and "conflicting guidance" from different agencies can lead to "confusion and inefficiencies."

Office of Management and Budget regulations already require agencies to ensure their partners protect CUI, he told FCW after the event, "but they never really tell you exactly how to do that."

The draft standards would remedy that situation, requiring nonfederal systems to incorporate two-factor authentication when CUI is stored, and generally meet the Federal Information Security Management Act (FISMA) moderate standards already in place on 70 percent of agency systems.

"We didn't want to have a two-stage solution," Ross said, where different standards applied once data "goes over the fence" and into nonfederal systems.

The draft is part of three-legged strategy to standardize how CUI is handled -- an effort that would also lead to changes in the acquisition process.

John Fitzpatrick, NARA's director of Information Security Oversight Office, said in a Nov. 18 statement that "this publication and NARA’s plan to have a single government-wide CUI directive, as well as our third step of developing a uniform Federal Acquisition Regulation clause to apply them, will bring clarity and consistency to the handling of CUI.”

Ross said that a second draft of SP800-171 should be ready by March 2015, with a final document completed by June -- and the related FAR changes coming soon thereafter.

The agency wants comments on SP800-171 between now and Jan. 16. Comments can be emailed to [email protected]

About the Authors

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.

Troy K. Schneider is editor-in-chief of FCW and GCN, as well as General Manager of Public Sector 360.

Prior to joining 1105 Media in 2012, Schneider was the New America Foundation’s Director of Media & Technology, and before that was Managing Director for Electronic Publishing at the Atlantic Media Company. The founding editor of, Schneider also helped launch the political site in the mid-1990s, and worked on the earliest online efforts of the Los Angeles Times and Newsday. He began his career in print journalism, and has written for a wide range of publications, including The New York Times,, Slate, Politico, National Journal, Governing, and many of the other titles listed above.

Schneider is a graduate of Indiana University, where his emphases were journalism, business and religious studies.

Click here for previous articles by Schneider, or connect with him on Twitter: @troyschneider.


  • Workforce
    Shutterstock image 1658927440 By Deliris masks in office coronavirus covid19

    White House orders federal contractors vaccinated by Dec. 8

    New COVID-19 guidance directs federal contractors and subcontractors to make sure their employees are vaccinated — the latest in a series of new vaccine requirements the White House has been rolling out in recent weeks.

  • FCW Perspectives
    remote workers (elenabsl/

    Post-pandemic IT leadership

    The rush to maximum telework did more than showcase the importance of IT -- it also forced them to rethink their own operations.

Stay Connected