NIST issues guidance for CUI in non federal systems

NIST: Protecting data after it's left your network

The National Institute of Standards and Technology has published the final version of its guidance to ensure that sensitive federal information remains confidential even when stored in nonfederal information systems.

Working with the National Archives and Records Administration, NIST released draft guidance last November to clarify how contractors, state and local governments, universities and independent research organizations routinely process, store and transmit sensitive federal information.

The final guidance, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (NIST Special Publication 800-171), gives federal agencies recommended requirements for protecting the confidentiality of CUI residing in nonfederal systems that process, store, transmit or provide security for CUI. The requirements are intended for use by federal agencies in contractual vehicles or other agreements established between agencies and nonfederal organizations.

As the executive agent of the CUI program, NARA plans to issue a regulation this year to establish controls and markings for CUI governmentwide, and to require executive branch agencies to uniformly apply the standards established by the CUI program. The proposed regulation is expected to reduce complexity for federal agencies and their nonfederal partners, including contractors.

In 2016 NARA plans to sponsor a single Federal Acquisition Regulation clause that will apply the requirements contained in the proposed federal CUI regulation and Special Publication 800-171 to contractors.

The CUI guidelines are drawn from existing computer security requirements for federal information systems found in two of NIST's foundational information security documents: Federal Information Processing Standard 200 and the Security and Privacy Controls for Federal Information Systems and Organizations (NIST SP 800-53).

"NIST SP 800-171 is critical to our strategy to strengthen needed protections for CUI," said John Fitzpatrick, director of NARA's Information Security Oversight Office. "Together with NARA's recently proposed CUI regulation and a planned Federal Acquisition Regulation clause, we will bring clarity and consistency to the handling of CUI across government."

About the Author

Connect with the GCN staff on Twitter @GCNtech.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected