The National Institute of Standards and Technology recently issued a draft of Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” The new document contains security requirements applicable “to nonfederal information systems (or components of nonfederal systems) and organizations that process, store, or transmit Controlled Unclassified Information (CUI) as defined by Executive Order 13556,” Controlled Unclassified Information (November 4, 2010).
While acknowledging the potential for some contractors to use additional security measures, the publication attempts to address the need for a unified and mandatory approach to contractor data security across the federal government. The NIST guidance is aimed at contractors that “already have information technology infrastructure, acquisition process, associated security policies, procedures, and practices in place.” The document is part of a three-part plan (i.e., development of the CUI rule, NIST Special Publication, and standard FAR clause) that will ultimately make its recommended safeguards for the protection of CUI mandatory.
At this point, however, NIST is seeking feedback because “[t]he very insightful comments from both the public and private sectors, nationally and internationally, continue to help shape [NIST] publications and ensure that they are meeting the needs and expectations of [its] customers.” The public comment period ends January 16, 2015. Comments may be submitted to: National Institute of Standards and Technology, Attn: Computer Security Division, Information Technology Laboratory, 100 Bureau Drive (Mail Stop 8930), Gaithersburg, MD 20899-8930 Electronic Mail: email@example.com.
Eric Whytsell is responsible for the content of this article.
© Jackson Kelly PLLC 2014