NIST Finalizes Updated Guidelines for Protecting Sensitive Information

NIST Finalizes Updated Guidelines for Protecting Sensitive Information

Credit: Shutterstock/ACTS DATA STOCK

Contractors and other organizations that do business with the federal government now have clearer, more straightforward guidance for protecting the sensitive data they handle. 

The National Institute of Standards and Technology (NIST) has finalized its updated guidelines for protecting this data, known as controlled unclassified information (CUI), in two publications: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST Special Publication [SP] 800-171, Revision 3), and its companion, Assessing Security Requirements for Controlled Unclassified Information (NIST SP 800-171A, Revision 3). 

These guidelines require organizations to safeguard CUI such as intellectual property and employee health information. Systems that process, store and transmit CUI often support government programs involving critical assets, such as weapons systems and communications systems, which are potential targets for adversaries. 

The two publications draw on NIST’s source catalog of security and privacy controls (NIST SP 800-53) and assessment procedures (NIST SP 800-53A). Before this update, the wording of these documents did not match the language of the source catalogs, potentially creating ambiguity in the security requirements and uncertainty in security requirement assessments. The update is designed to address these issues and also streamline and harmonize NIST’s portfolio of cybersecurity guidance.

“For the sake of our private sector customers, we want our guidance to be clear, unambiguous and tightly coupled with the catalog of controls and assessment procedures used by federal agencies,” said NIST’s Ron Ross, one of the publications’ authors. “This update is a significant step toward that goal.”

NIST released finalizes updated guidelines protecting sensitive information