NIST issues final guidance update for protecting sensitive information
Final versions of two publications that the National Institute of Standards and Technology issued Tuesday are aimed at helping contractors and other organizations protect and secure controlled unclassified information they handle.
The guidance comes after the agency solicited feedback on drafts of the documents last year, and clarifies previous NIST guidance that included language inconsistent with the agency’s source catalog of security and privacy controls. In a Tuesday release, NIST said that wording potentially created “ambiguity” and “uncertainty.”
“For the sake of our private sector customers, we want our guidance to be clear, unambiguous and tightly coupled with the catalog of controls and assessment procedures used by federal agencies,” Ron Ross, an author of the publications, said in the release. “This update is a significant step toward that goal.”
The two publications are Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (Special Publication 800-171r3) and Assessing Security Requirements for Controlled Unclassified Information (SP 800-171Ar3). The latter is a companion publication to help people assess the requirements outlined in the former and includes updated assessment procedures and new examples of how to conduct those assessments, according to the release.
Controlled unclassified information, which includes things like intellectual property and employee health information, can be enticing for bad actors. “Systems that process, store and transmit CUI often support government programs involving critical assets, such as weapons systems and communications systems, which are potential targets for adversaries,” according to the release.
In the release of the draft versions last year, Ross noted CUI had recently “been a target of state-level espionage.”
The updates take into account commenters’ interest in machine-readable formats of the guidance, like JSON and Excel, to make them easier to use and reference, according to the release.
“Providing the guidance in these additional formats will allow them to do that. It will help a wider group of users to understand the requirements and implement them more quickly and efficiently,” Ross said.
In addition to issuing the new publications, NIST said it plans to revise other publications related to CUI in “coming months.” Those updates will include publications on enhanced security requirements (SP 800-172) and assessments (SP 800-172A)