NIST issues final guidance update for protecting sensitive information

The publications are aimed at providing clearer and unambiguous guidance to private-sector partners, according to the agency.
United States Department of Commerce Building (Photo by James Leynse/Corbis via Getty Images)

Final versions of two publications that the National Institute of Standards and Technology issued Tuesday are aimed at helping contractors and other organizations protect and secure controlled unclassified information they handle.

The guidance comes after the agency solicited feedback on drafts of the documents last year, and clarifies previous NIST guidance that included language inconsistent with the agency’s source catalog of security and privacy controls. In a Tuesday release, NIST said that wording potentially created “ambiguity” and “uncertainty.”

“For the sake of our private sector customers, we want our guidance to be clear, unambiguous and tightly coupled with the catalog of controls and assessment procedures used by federal agencies,” Ron Ross, an author of the publications, said in the release. “This update is a significant step toward that goal.”

The two publications are Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (Special Publication 800-171r3) and Assessing Security Requirements for Controlled Unclassified Information (SP 800-171Ar3). The latter is a companion publication to help people assess the requirements outlined in the former and includes updated assessment procedures and new examples of how to conduct those assessments, according to the release.


Controlled unclassified information, which includes things like intellectual property and employee health information, can be enticing for bad actors. “Systems that process, store and transmit CUI often support government programs involving critical assets, such as weapons systems and communications systems, which are potential targets for adversaries,” according to the release. 

In the release of the draft versions last year, Ross noted CUI had recently “been a target of state-level espionage.”

The updates take into account commenters’ interest in machine-readable formats of the guidance, like JSON and Excel, to make them easier to use and reference, according to the release.

“Providing the guidance in these additional formats will allow them to do that. It will help a wider group of users to understand the requirements and implement them more quickly and efficiently,” Ross said.

In addition to issuing the new publications, NIST said it plans to revise other publications related to CUI in “coming months.” Those updates will include publications on enhanced security requirements (SP 800-172) and assessments (SP 800-172A)

Madison Alder

Written by Madison Alder

Madison Alder is a reporter for FedScoop in Washington, D.C., covering government technology. Her reporting has included tracking government uses of artificial intelligence and monitoring changes in federal contracting. She’s broadly interested in issues involving health, law, and data. Before joining FedScoop, Madison was a reporter at Bloomberg Law where she covered several beats, including the federal judiciary, health policy, and employee benefits. A west-coaster at heart, Madison is originally from Seattle and is a graduate of the Walter Cronkite School of Journalism and Mass Communication at Arizona State University.

Latest Podcasts