NIST, NARA move to secure federal data on outside systems

concept cybersecurity art

The National Institute of Standards and Technology has new recommendations for securing sensitive data on IT systems at companies that work for the government. The draft standards, released Nov. 18, are aimed at contractors and other nonfederal organizations that store federal controlled but unclassified information (CUI) in the course of their work.

Ron Ross, a NIST fellow and the lead author of the new guide, discussed the proposed guidelines at a Nov. 19 FCW cybersecurity event. Federal contractors; state, local and tribal governments; colleges and universities all use and store federal data in a variety of ways, he said. Those groups perform scientific research, conduct background investigations for security clearances, provide financial services, develop technology in support of federal agency missions, and engage in other work on behalf of the federal government. 

The data involved can include personally identifiable information, financial data, medical records, technical drawings and other sensitive data. A federal CUI registry outlines 22 top-level categories of data, with subcategories covering everything from electronic fund transfers to source selection in the procurement process.

The new document, Draft Special Publication 800-171, declares that protection of this data on nonfederal systems "is of paramount importance to federal agencies -- and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations."

NIST said the draft was developed in collaboration with the National Archives and Records Administration (NARA) and responds to a 2010 executive order that calls for government-wide standards on the treatment of CUI. The ultimate goal, Ross said, is to ensure that the statutory and regulatory requirements for protecting CUI are consistent, regardless of whether the data resides in federal or nonfederal information systems.

Currently, Ross said, nonfederal organizations must try to meet a wide range of contract clauses, and "conflicting guidance" from different agencies can lead to "confusion and inefficiencies."

Office of Management and Budget regulations already require agencies to ensure their partners protect CUI, he told FCW after the event, "but they never really tell you exactly how to do that."

The draft standards would remedy that situation, requiring nonfederal systems to incorporate two-factor authentication when CUI is stored, and generally meet the Federal Information Security Management Act (FISMA) moderate standards already in place on 70 percent of agency systems.

"We didn't want to have a two-stage solution," Ross said, where different standards applied once data "goes over the fence" and into nonfederal systems.

The draft is part of three-legged strategy to standardize how CUI is handled -- an effort that would also lead to changes in the acquisition process.

John Fitzpatrick, NARA's director of Information Security Oversight Office, said in a Nov. 18 statement that "this publication and NARA’s plan to have a single government-wide CUI directive, as well as our third step of developing a uniform Federal Acquisition Regulation clause to apply them, will bring clarity and consistency to the handling of CUI.”

Ross said that a second draft of SP800-171 should be ready by March 2015, with a final document completed by June -- and the related FAR changes coming soon thereafter.

The agency wants comments on SP800-171 between now and Jan. 16. Comments can be emailed to

About the Authors

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at or follow him on Twitter at @MRockwell4.

Troy K. Schneider is editor-in-chief of FCW and GCN.

Prior to joining 1105 Media in 2012, Schneider was the New America Foundation’s Director of Media & Technology, and before that was Managing Director for Electronic Publishing at the Atlantic Media Company. The founding editor of, Schneider also helped launch the political site in the mid-1990s, and worked on the earliest online efforts of the Los Angeles Times and Newsday. He began his career in print journalism, and has written for a wide range of publications, including The New York Times,, Slate, Politico, National Journal, Governing, and many of the other titles listed above.

Schneider is a graduate of Indiana University, where his emphases were journalism, business and religious studies.

Click here for previous articles by Schneider, or connect with him on Twitter: @troyschneider.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.