Securing Federal Data on Nonfederal SystemsNIST Aims to Eliminate Conflicting Guidance on Data Storage
Spurred, in part, by cloud computing, the amount of federal data finding its way onto computers outside of the government is soaring. To ensure data security, NIST is drafting guidance to standardize safeguards of federal data stored on nonfederal computers.
"We're concerned about controlled unclassified information no matter where it might reside," says Ron Ross, a NIST fellow who's the lead author of the guidance. "It still needs to be protected because that information is sensitive and can be supporting important federal missions and business operations."
The guidance, issued in draft form, is known as Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.
The genesis of the guidance is a 2010 presidential executive order focused on the handling of what's known as controlled unclassified information, or CUI - sensitive information such as financial data, medical records and personally identifiable information.
Ron Ross discusses lessons learned from creating SP 800-171
NIST developed the guidance in cooperation with the National Archives and Records Administration. The guidance goes beyond safeguarding data stored by cloud providers, also aiming to protect government information stored on computers of government and military contractors as well as those operated by academic institutions, state and local governments and not-for-profit organizations.
"Nonfederal organizations receive conflicting guidance from federal agencies on how to handle the same information, giving rise to confusion and inefficiencies," says John Fitzpatrick, director of NARA's Information Security Oversight Office, explaining the need for the guidance.
Though the guidance is aimed at federal agencies, Ross says the publication would be of value to enterprises outside the federal government that store federal data. That's because it gives them an idea of what the federal government will require in contracts for various services and programs involving the storage of federal data. Ross says new federal acquisition rules will cite the guidance beginning next year.
"Every federal contract that involves CUI will have to meet these requirements," Ross say. "So it's good to anticipate. You can be proactive, and it represents best practices, and it can raise the bar for security for all of our organizations that care about protecting their own businesses, their own missions - whatever they value within the space of information technology."
NIST is seeking suggestions to improve on the draft guidance from stakeholders, who can submit their comments by Jan. 16 to email@example.com.