Securing Federal Data on Nonfederal SystemsNIST Publication Aims to Help Agencies Negotiate Contracts
The National Institute of Standards and Technology has issued new guidance aimed at protecting federal data that's stored on information systems outside the federal government.
Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, applies to information systems and organizations outside of the federal government that process, store or transmit federal controlled unclassified information, or CUI.
CUI is any information that the federal government requires to be safeguarded by security and/or privacy controls, excluding information that is deemed classified, which is protected under a different set of regulations.
SP 800-171 is intended to guide federal agencies when negotiating contracts or other agreements to store and process CUI with nonfederal organizations, such as private contractors; state, local and tribal governments; colleges and universities; and think tanks. Following the guidance is not yet mandated. But the National Archives and Records Administration, an independent federal agency, is developing a federal acquisition regulation, expected to be implemented next year, that would require agencies to negotiate with their nonfederal partners to implement controls listed in SP 800-171.
Set of Consistent Requirements
"This will give the contracting community, and all those folks who are going to be handing CUI, a set of consistent requirements so every federal agency won't be levying their own set of requirements out there; they'll all be consistent with what's in 800-171," says NIST Fellow Ron Ross, lead author on the new guidance.
The guidance, issued this month, does not apply to contractors that operate federal information systems. In those instances, other NIST guidance such as SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations take precedence.
SP 800-171 is aimed to protect information at the "moderate confidentiality impact level." The Federal Information Processing Standards Publication 199: Standards for Security Categorization of Federal Information and Information Systems, defines a moderate impact level as a loss of data confidentiality that would have a serious impact on the organization's operations, assets or individuals.
The guidance is good news for the federal government and its partners, Ross says, "because, as we know, all of us have to be on guard every day to bring our A game to this problem. The adversaries are always trying to breach our systems, they're trying to get that valuable data wherever it might be. SP 800-17 is based on best practices, and it's going to be a very, very consistent and thorough way to look at the protection problem when it comes to the control of unclassified information."
Requiring Specific Architectures
Federal law requires that government agencies maintain responsibility for data security even when the information is stored, processed and transmitted to and from nonfederal government systems. To ensure the confidentiality of federal data, under the new guidance, federal agencies could require their nonfederal partners to isolate CUI into its own security domain by applying architectural design principles, such as implementing subnetworks with firewalls or other boundary protection devices.
The guidance identifies 14 families of security requirements for protecting the confidentiality of CUI on nonfederal systems, including: access controls, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.
SP 800-171 also contains several appendixes. One helps organizations that have adopted the federal government's cybersecurity framework to map CUI security requirements to the security controls in SP 800-53 and ISO/IEC 27001, security standards published by the International Organization for Standardization.
"Protecting the confidentiality of CUI is critical to the mission and business success of federal agencies and the economic and national security interests of the nation," the guidance says.