The National Institute of Standards and Technology has released final guidelines for contractors safeguarding sensitive, but unclassified, federal information.
The guidance involves what’s called controlled unclassified information, or CUI. Contractors use this data to perform scientific research, conduct background checks, develop technology and accomplish a range of other functions for the government. The guidance would apply to other nonfederal government entities that use CUIs, like universities, state governments and research organizations.
In 2010, the White House issued an executive order establishing a CUI program and charged the National Archives and Records Administration with managing it. NIST worked with the National Archives to develop the guidelines, which apply to all parts of nonfederal IT systems “that process, store or transmit CUI, or provide security protection for those components,” according to a release.
The guidelines come after NIST and the National Archives released two drafts for public comment in April and November. Currently, they aren’t mandatory and must be applied through a contract or regulation, John Fitzpatrick, director of the National Archives’ Information Security Oversight Office, wrote in an email.
Meanwhile, NIST and the National Archives are working on a CUI rule for federal agencies. Fitzpatrick said that’s a critical piece for his office as it plans to propose a standard federal acquisition regulation clause for agencies to use when they have contracts involving CUI.
“[P]rocedurally, we are not permitted to propose a [Federal Acquisition Regulation] rule for contractors until after we have a final regulation, which applies to agencies,” he said.