The National Institute of Standards and Technology (NIST) aims to improve communication with non-Federal systems containing Federal data through updates to its guidelines “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” also referred to as 800-171.
“This is a process that is ongoing,” said Ron Ross, a Fellow at NIST and co-author of the guidelines. “We are trying to do everything we can to have a great vehicle to communicate.”
The updates, announced on Tuesday, include clarifications to statements and requirements, additional terms and definitions in the glossary, and the inclusion of hyperlinks to facilitate ease of use. The most significant update, however, is the inclusion of System Security Plans, which help non-Federal partners to determine where their information security is, where it needs to be, and how to get there.
“We needed to have a vehicle so our non-Federal partners could communicate what was implemented and how it was implemented,” said Ross. “It’s really a way for us to increase accountability on both sides.”
The NIST guidelines are part of the Controlled Unclassified Information (CUI) Program, established by a 2010 executive order and administered by the National Archives and Records Administration (NARA). The original 800-171 was published in June 2015, and has been updated based on continual feedback from private and public entities.
“NIST SP 800-171 is critical to our strategy to strengthen needed protections for CUI,” John Fitzpatrick, director of NARA’s Information Security Oversight Office, said in NIST’s 2015 press release announcing the guidelines’ publication. “Together with NARA’s recently proposed CUI regulation and a planned Federal Acquisition Regulation clause, we will bring clarity and consistency to the handling of CUI across government.”
Ross said that the time since the original publication has given them a year’s worth of deeper understanding for updates.
“They’re not an overwhelming number of changes, but they are significant,” he said.
Ross also believes that the more streamlined nature of this publication will provide both Federal and non-Federal entities with a more direct understanding of what is required of them.
“This set of requirements is much more tailored to the confidentiality requirement,” Ross said. “We’ve gotten rid of a lot of the things that aren’t relevant.”
Though 800-171 does not have the force of law or policy, its guidelines are referenced in a number of more binding policies and stand as a bar by which the Federal government can measure information security practices.
“These requirements are fairly standard in the sense that they represent best practices,” Ross said. “Every non-Federal organization is in a different place in regards to their information security systems. There’s a pathway to getting to green, so to speak, to meeting all the requirements.”
Ross said that the goal is to publish the final guidelines in October, after reviewing responses from this version’s 30-day public comment period ending on Sept. 16.