Lance Bellers - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

NIST guidance: Better security from federal contractors

With the recent OPM breach raising questions about the security of federal data within the government, NIST has issued new guidelines in order to secure data stored by federal contractors outside government facilities.

The National Institute of Standards and Technology has released new guidelines in an effort to secure federal data stored by contractors outside of the federal government.

The new guidelines (Special Publication 800-171) will apply to any organizations or information systems outside the federal government that process, transmit or store federal data considered to be "controlled unclassified information" (CUI). Classified information is regulated by a different set of rules.

The intent of the new guidelines is to provide federal agencies with recommended requirements for protecting confidentiality of CUI when dealing with private contractors, local government agencies, academic institutions or research organizations that handle federal data.

The recommendations cover 14 areas: access control, awareness and training, audit and accountability, configuration management, ID and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.

According to the guidelines, if government data is designated to a specific system, organizations can limit the scope of the security requirements to those systems. This could incentivize those organizations to segment CUI as much as possible, but federal agencies can require segmentation because the originating agency is held responsible for the data.



Next Steps

Learn more about US government websites using encryption by 2017.

Dig Deeper on Data privacy issues and compliance

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How effective do you expect these new guidelines to be?
Actually, as a veteran, and given the issues they have had so far, I’m more concerned with how they protect my information handled by government employees, not contractors.
A very well written article, although I didn't quite get what had changed from it.  
I thought a bit more about this one, and it occurs to me, that they probably regularly update rules for this, and require regular training of cleared employees and companies with access to such sensitive data.  I would not presume this is just because of the OPM Breach.