New draft guidance aims to protect contractor-held data

NIST offered its final pitch this month for how nonfederal entities should handle the government's unclassified data.

The National Institute of Standards and Technology has issued a final draft guidance on contractors protecting sensitive, but unclassified, federal information.

The guidance concerns a type of data called controlled unclassified information, or CUI. Contractors use this information to conduct a range of activities — like perform scientific research and background checks, provide financial services, and develop technology.

Various agencies currently may have different requirements for the contractors, local governments and academic institutions that secure this type of data. As a result, these nongovernment entities can receive conflicting information on how to store the unclassified information.

To develop the guidance, NIST has worked with the National Archives and Records Administration, which the White House had tasked to oversee a program to manage CUI in 2010, and the Department of Defense.


The newest iteration of the guidance “provides a flexible way to achieve IT protection levels comparable to federal standards in a framework that can be tailored to organizations that are not part of the Federal Government, and therefore are not subject to FISMA or other IT regulations,” the National Archive’s Information Security Oversight Office Director John Fitzpatrick told FedScoop in an email this week.

NARA plans to propose a Federal Acquisition Regulation clause to apply this guidance in an effort to ensure the protection of CUI in companies doing business with the government, he said.

The two agencies had released an earlier draft guidance late last year. Fitzpatrick told FedScoop the previous draft was well received, however the new version:

  • Adjusts the CUI security requirements to ensure complete coverage of federal policies, standards, and guidance.
  • Provides tables that illustrated the mapping of CUI security requirements to security controls in the NIST Special Publication 800-53.
  • Provides mapping to the ISO/IEC 27001. This mapping provides clarity on the tailoring process. By mapping to ISO/IEC 27001, it better accommodated those stakeholders who based their practices on international standards.

The public can comment on the new draft through May 12.

Latest Podcasts