The National Institute of Standards and Technology is revising its guidance on how organizations outside the U.S. government should protect sensitive federal data.
NIST has published a revised draft of its 14-month-old guidance, Special Publication 800-171: Controlled Unclassified Information in Nonfederal Information Systems and Organizations.
In an interview with Information Security Media Group, NIST Fellow Ron Ross says the most significant update is a proposed requirement that organizations provide, if requested, documents to show how they're securing sensitive government data on their computers or furnish plans explaining how they will do so.
"This kind of puts everybody in an accountability state," says Ross, chief author of the guidance. "It's truth in advertising."
U.S. federal agencies enter contracts with thousands of private businesses to provide credit card and other financial services, email services, conduct background checks for security clearances, process healthcare claims and furnish cloud services.
Sensitive federal information often is provided to or shared with state and local governments, colleges and universities and independent research organizations. SP 800-171 aims to help these organizations secure sensitive data. The guidance also helps government officials responsible for contracting with these organizations to determine whether federal controlled unclassified information remains secure outside the government.
In the interview (click on player beneath image to listen), Ross:
Explains how the revised draft document differs from the initial guidance published in June 2015; Defines controlled unclassified information, the sensitive data at the heart of the guidance; and Describes the rationale behind why organizations housing sensitive government data need to safeguard that information.At NIST, Ross specializes in security requirements definition, security testing and evaluation and information assurance. He leads NIST's Federal Information Security Management Act Implementation Project, which includes the development of key security standards and guidelines for the federal government and critical information infrastructure.