TRENDING:

Securing Federal Data on Nonfederal Systems

NIST Aims to Eliminate Conflicting Guidance on Data Storage Eric Chabrow (GovInfoSecurity) • November 24, 2014    
Securing Federal Data on Nonfederal Systems

Spurred, in part, by cloud computing, the amount of federal data finding its way onto computers outside of the government is soaring. To ensure data security, NIST is drafting guidance to standardize safeguards of federal data stored on nonfederal computers.

See Also: DataOps & Multi-Cloud: Streamlining Data Management

"We're concerned about controlled unclassified information no matter where it might reside," says Ron Ross, a NIST fellow who's the lead author of the guidance. "It still needs to be protected because that information is sensitive and can be supporting important federal missions and business operations."

The guidance, issued in draft form, is known as Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.

The genesis of the guidance is a 2010 presidential executive order focused on the handling of what's known as controlled unclassified information, or CUI - sensitive information such as financial data, medical records and personally identifiable information.


Ron Ross discusses lessons learned from creating SP 800-171

NIST developed the guidance in cooperation with the National Archives and Records Administration. The guidance goes beyond safeguarding data stored by cloud providers, also aiming to protect government information stored on computers of government and military contractors as well as those operated by academic institutions, state and local governments and not-for-profit organizations.

"Nonfederal organizations receive conflicting guidance from federal agencies on how to handle the same information, giving rise to confusion and inefficiencies," says John Fitzpatrick, director of NARA's Information Security Oversight Office, explaining the need for the guidance.

Though the guidance is aimed at federal agencies, Ross says the publication would be of value to enterprises outside the federal government that store federal data. That's because it gives them an idea of what the federal government will require in contracts for various services and programs involving the storage of federal data. Ross says new federal acquisition rules will cite the guidance beginning next year.

"Every federal contract that involves CUI will have to meet these requirements," Ross say. "So it's good to anticipate. You can be proactive, and it represents best practices, and it can raise the bar for security for all of our organizations that care about protecting their own businesses, their own missions - whatever they value within the space of information technology."

NIST is seeking suggestions to improve on the draft guidance from stakeholders, who can submit their comments by Jan. 16 to sec-cert@nist.gov.

Previous
Report: HHS Faces Fraud, Security Challenges
Next
Police Target Remote Access Trojan Use

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.



Around the Network

Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Properly Vetting AI Before It's Deployed in Healthcare
Properly Vetting AI Before It's Deployed in Healthcare
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.