There is now a clearer, more straightforward guidance for protecting sensitive data contractors and organizations handle in their dealings with the federal government.

That is because the National Institute of Standards and Technology (NIST) finalized its updated guidelines for protecting this data, known as controlled unclassified information (CUI), in two publications: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and its companion, Assessing Security Requirements for Controlled Unclassified Information

These guidelines require organizations to safeguard CUI such as intellectual property and employee health information. Systems that process, store and transmit CUI often support government programs involving critical assets, such as weapons systems and communications systems, which are potential targets for adversaries.

While the focus of these publications is on working with the federal government, they can also give ideas on how the private sector can protect sensitive data.

Schneider Bold

The two publications draw on NIST’s source catalog of security and privacy controls (NIST SP 800-53) and assessment procedures (NIST SP 800-53A).

Before this update, the wording of these documents did not match the language of the source catalogs, potentially creating ambiguity in the security requirements and uncertainty in security requirement assessments. The update addresses these issues and also streamline and harmonize NIST’s portfolio of cybersecurity guidance.

“For the sake of our private sector customers, we want our guidance to be clear, unambiguous and tightly coupled with the catalog of controls and assessment procedures used by federal agencies,” said NIST’s Ron Ross, one of the publications’ authors. “This update is a significant step toward that goal.”

NIST released draft versions of the guidelines for public comment last year. Ross said the update acknowledges the community’s interest in making the safeguards available in machine-readable formats, such as JSON and Excel, which would benefit cybersecurity tool developers and implementing organizations. These alternate formats are now available through NIST’s Cybersecurity and Privacy Reference Tool.

“Toolmakers often want to import relevant sections of the guidance directly into an electronic form for easier reference and use,” he said. “Providing the guidance in these additional formats will allow them to do that. It will help a wider group of users to understand the requirements and implement them more quickly and efficiently.”

Additionally, to assist implementers already using Revision 2, NIST issued an analysis of changes that details how each requirement has evolved.


Pin It on Pinterest

Share This