NIST, NARA move to secure federal data on outside systems
- By Mark Rockwell, Troy K. Schneider
- Nov 19, 2014
The National Institute of Standards and Technology has new recommendations for securing sensitive data on IT systems at companies that work for the government. The draft standards, released Nov. 18, are aimed at contractors and other nonfederal organizations that store federal controlled but unclassified information (CUI) in the course of their work.
Ron Ross, a NIST fellow and the lead author of the new guide, discussed the proposed guidelines at a Nov. 19 FCW cybersecurity event. Federal contractors; state, local and tribal governments; colleges and universities all use and store federal data in a variety of ways, he said. Those groups perform scientific research, conduct background investigations for security clearances, provide financial services, develop technology in support of federal agency missions, and engage in other work on behalf of the federal government.
The data involved can include personally identifiable information, financial data, medical records, technical drawings and other sensitive data. A federal CUI registry outlines 22 top-level categories of data, with subcategories covering everything from electronic fund transfers to source selection in the procurement process.
The new document, Draft Special Publication 800-171, declares that protection of this data on nonfederal systems "is of paramount importance to federal agencies -- and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations."
NIST said the draft was developed in collaboration with the National Archives and Records Administration (NARA) and responds to a 2010 executive order that calls for government-wide standards on the treatment of CUI. The ultimate goal, Ross said, is to ensure that the statutory and regulatory requirements for protecting CUI are consistent, regardless of whether the data resides in federal or nonfederal information systems.
Currently, Ross said, nonfederal organizations must try to meet a wide range of contract clauses, and "conflicting guidance" from different agencies can lead to "confusion and inefficiencies."
Office of Management and Budget regulations already require agencies to ensure their partners protect CUI, he told FCW after the event, "but they never really tell you exactly how to do that."
The draft standards would remedy that situation, requiring nonfederal systems to incorporate two-factor authentication when CUI is stored, and generally meet the Federal Information Security Management Act (FISMA) moderate standards already in place on 70 percent of agency systems.
"We didn't want to have a two-stage solution," Ross said, where different standards applied once data "goes over the fence" and into nonfederal systems.
The draft is part of three-legged strategy to standardize how CUI is handled -- an effort that would also lead to changes in the acquisition process.
John Fitzpatrick, NARA's director of Information Security Oversight Office, said in a Nov. 18 statement that "this publication and NARA’s plan to have a single government-wide CUI directive, as well as our third step of developing a uniform Federal Acquisition Regulation clause to apply them, will bring clarity and consistency to the handling of CUI.”
Ross said that a second draft of SP800-171 should be ready by March 2015, with a final document completed by June -- and the related FAR changes coming soon thereafter.
The agency wants comments on SP800-171 between now and Jan. 16. Comments can be emailed to [email protected]
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at [email protected] or follow him on Twitter at @MRockwell4.
Troy K. Schneider is the Editor-in-Chief of both FCW and GCN, two of the oldest and most influential publications in public-sector IT. Both publications (originally known as Federal Computer Week and Government Computer News, respectively) are owned by GovExec. Mr. Schneider also serves GovExec's General Manager for Government Technology Brands.
Mr. Schneider previously served as New America Foundation’s Director of Media & Technology, and before that was Managing Director for Electronic Publishing at the Atlantic Media Company, where he oversaw the online operations of The Atlantic Monthly, National Journal, The Hotline and The Almanac of American Politics, among other publications. The founding editor of NationalJournal.com, Mr. Schneider also helped launch the political site PoliticsNow.com in the mid-1990s, and worked on the earliest online efforts of the Los Angeles Times and Newsday. He began his career in print journalism, and has written for a wide range of publications, including The New York Times, WashingtonPost.com, Slate, Politico, Governing, and many of the other titles listed above.
Mr. Schneider is a graduate of Indiana University, where his emphases were journalism, business and religious studies.