Two agencies that oversee government data released a draft guidance that aims to protect sensitive federal information stored on the computers of contractors.
Agencies have different requirements for securing federal information, so contractors often receive conflicting information on what to do with the data, according to a release on the draft guidance. The recommendations — developed by the National Institute of Standards and Technology, and the National Archives and Records Administration — are for federal agencies to ensure the nonfederal organizations adequately protect federal information in the nonfederal computer systems.
So-called controlled unclassified information, or CUI, is “of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations,” according to the guidance.
Contractors use nonclassified government information for a range of functions, including conducting scientific research and background investigations for security clearances, providing financial services, and developing technology.
The guidance also would apply to nongovernment groups that store government information — including state, local, and tribal governments; and colleges and universities.
In 2010, the Obama administration issued an executive order directing the National Archives to oversee a program to manage CUI. In a release announcing the publication of the draft guidance, John Fitzpatrick, director of the National Archive’s Information Security Oversight Office, said the agency has already determined what CUI categories must be protected and has developed a federal CUI rule now under OMB review.
“This publication and NARA’s plan to have a single government-wide CUI directive, as well as our third step of developing a uniform Federal Acquisition Regulation clause to apply them, will bring clarity and consistency to the handling of CUI,” Fitzpatrick said.
Comments on the draft guidance are due Jan. 16.