New NIST guidance planned as part of federal info policy

Government officials can get ready to toss out their "For Official Use Only" stamps under a pending rule that would standardize how the government marks and stores information that is deemed sensitive but is not classified.

The National Archives and Records Administration is leading the charge for a new policy on controlled unclassified information (CUI) designed to replace the more than 100 ad hoc system maintained by agencies across government to control – critics say over-control -- information.

In consultation with more than 150 government entities, NARA has come up with a list of 22 categories and 85 subcategories that are considered CUI under the law. These include copyright and patent information, personally identifiable information, raw census data, intelligence and law enforcement data, and information systems vulnerabilities. These are maintained in NARA's CUI Registry. A proposed rule expected to be put out for comment in the Federal Register in August will established uniform policies for the safeguarding, sharing, marking and release of CUI.

New policy will also clarify the relationship between CUI safeguards and decisions to consider documents ineligible for release under the Freedom of Information Act. This will build on existing NARA guidance says that, "CUI markings and designations should not be associated with or paired to FOIA exemptions and should not be used as a basis for applying a FOIA exception."

The NARA effort, though supported by President Barack Obama's Executive Order 13556, lacks a dedicated funding source, and compliance with any IT requirements on the agency side will have to be made in the context of an agency's overall acquisition plan. The rules on CUI "will slipstream through standards that already exist, rather than create parallel or conflicting sets of definition and practices,' said John Fitzpatrick, director of the Information Security Oversight Office at NARA, in a presentation at a June 12 meeting of the National Institute for Standards and Technology's Information Security and Privacy Advisory Board.

Under the planned NARA rule, government agencies hosting CUI in their systems would be directed to adhere to the FISMA moderate standard. Fitzpatrick said that about 80 percent of covered systems already adhere to that standard. "For the other 20 percent, it is going to cause work, but it does not portend a big shift across government," Fitzpatrick said.

NARA is leaning on NIST to push out standards for contractors who hold federal CUI in their systems. This has been a gray area from a regulatory point of view, noted Ron Ross, computer scientist and NIST fellow who leads efforts to propagate security standards for federal and contractor IT systems. The pending NIST guidance is as yet untitled, but was just awarded its own special publication number -- 800.171 -- signifying its importance.

"This is another niche that has not been covered yet. There is the potential for CUI to end up in contractors' organizations that are totally uncovered" by FISMA standards, said Ross. The NIST guidance is being prepared in conjunction with a change to the Federal Acquisition Regulation that would put CUI protection requirements in federal contracts.

NIST has "volunteered to take the arrows as we go through the public vetting process," Ross said. If recent changes to the defense acquisition rules covering unclassified controlled technical information are any indication, Ross said, "we have some rough sledding ahead."

The NIST guidance is planned to be released in fiscal 2015 in order to provide a point of reference for a FAR rule change, planned for fiscal 2016. The CUI rule is expected to be finalized and in effect by April 2015, with full implementation phased in across all agencies in fiscal 2019.