The National Institute of Standards and Technology has released new guidelines in an effort to secure federal data...
stored by contractors outside of the federal government.
The new guidelines (Special Publication 800-171) will apply to any organizations or information systems outside the federal government that process, transmit or store federal data considered to be "controlled unclassified information" (CUI). Classified information is regulated by a different set of rules.
The intent of the new guidelines is to provide federal agencies with recommended requirements for protecting confidentiality of CUI when dealing with private contractors, local government agencies, academic institutions or research organizations that handle federal data.
The recommendations cover 14 areas: access control, awareness and training, audit and accountability, configuration management, ID and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.
According to the guidelines, if government data is designated to a specific system, organizations can limit the scope of the security requirements to those systems. This could incentivize those organizations to segment CUI as much as possible, but federal agencies can require segmentation because the originating agency is held responsible for the data.