NIST issues guidance for CUI in non federal systems

NIST: Protecting data after it's left your network

The National Institute of Standards and Technology has published the final version of its guidance to ensure that sensitive federal information remains confidential even when stored in nonfederal information systems.

Working with the National Archives and Records Administration, NIST released draft guidance last November to clarify how contractors, state and local governments, universities and independent research organizations routinely process, store and transmit sensitive federal information.

The final guidance, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (NIST Special Publication 800-171), gives federal agencies recommended requirements for protecting the confidentiality of CUI residing in nonfederal systems that process, store, transmit or provide security for CUI. The requirements are intended for use by federal agencies in contractual vehicles or other agreements established between agencies and nonfederal organizations.

As the executive agent of the CUI program, NARA plans to issue a regulation this year to establish controls and markings for CUI governmentwide, and to require executive branch agencies to uniformly apply the standards established by the CUI program. The proposed regulation is expected to reduce complexity for federal agencies and their nonfederal partners, including contractors.

In 2016 NARA plans to sponsor a single Federal Acquisition Regulation clause that will apply the requirements contained in the proposed federal CUI regulation and Special Publication 800-171 to contractors.

The CUI guidelines are drawn from existing computer security requirements for federal information systems found in two of NIST's foundational information security documents: Federal Information Processing Standard 200 and the Security and Privacy Controls for Federal Information Systems and Organizations (NIST SP 800-53).

"NIST SP 800-171 is critical to our strategy to strengthen needed protections for CUI," said John Fitzpatrick, director of NARA's Information Security Oversight Office. "Together with NARA's recently proposed CUI regulation and a planned Federal Acquisition Regulation clause, we will bring clarity and consistency to the handling of CUI across government."

About the Author

Connect with the GCN staff on Twitter @GCNtech.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected