NIST, NARA move to secure federal data on outside systems

The National Institute of Standards and Technology has new recommendations for securing sensitive data on IT systems at companies that work for the government. The draft standards, released Nov. 18, are aimed at contractors and other nonfederal organizations that store federal controlled but unclassified information (CUI) in the course of their work.

Ron Ross, a NIST fellow and the lead author of the new guide, discussed the proposed guidelines at a Nov. 19 FCW cybersecurity event. Federal contractors; state, local and tribal governments; colleges and universities all use and store federal data in a variety of ways, he said. Those groups perform scientific research, conduct background investigations for security clearances, provide financial services, develop technology in support of federal agency missions, and engage in other work on behalf of the federal government. 

The data involved can include personally identifiable information, financial data, medical records, technical drawings and other sensitive data. A federal CUI registry outlines 22 top-level categories of data, with subcategories covering everything from electronic fund transfers to source selection in the procurement process.

The new document, Draft Special Publication 800-171, declares that protection of this data on nonfederal systems "is of paramount importance to federal agencies -- and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations."

NIST said the draft was developed in collaboration with the National Archives and Records Administration (NARA) and responds to a 2010 executive order that calls for government-wide standards on the treatment of CUI. The ultimate goal, Ross said, is to ensure that the statutory and regulatory requirements for protecting CUI are consistent, regardless of whether the data resides in federal or nonfederal information systems.

Currently, Ross said, nonfederal organizations must try to meet a wide range of contract clauses, and "conflicting guidance" from different agencies can lead to "confusion and inefficiencies."

Office of Management and Budget regulations already require agencies to ensure their partners protect CUI, he told FCW after the event, "but they never really tell you exactly how to do that."

The draft standards would remedy that situation, requiring nonfederal systems to incorporate two-factor authentication when CUI is stored, and generally meet the Federal Information Security Management Act (FISMA) moderate standards already in place on 70 percent of agency systems.

"We didn't want to have a two-stage solution," Ross said, where different standards applied once data "goes over the fence" and into nonfederal systems.

The draft is part of three-legged strategy to standardize how CUI is handled -- an effort that would also lead to changes in the acquisition process.

John Fitzpatrick, NARA's director of Information Security Oversight Office, said in a Nov. 18 statement that "this publication and NARA’s plan to have a single government-wide CUI directive, as well as our third step of developing a uniform Federal Acquisition Regulation clause to apply them, will bring clarity and consistency to the handling of CUI.”

Ross said that a second draft of SP800-171 should be ready by March 2015, with a final document completed by June -- and the related FAR changes coming soon thereafter.

The agency wants comments on SP800-171 between now and Jan. 16. Comments can be emailed to sec-cert@nist.gov.