It’s a long road ahead, but federal agencies and contractors are laying the groundwork to implement the National Institute of Standards and Technology’s latest framework aimed at protecting federal information that’s shared on systems not owned by the federal government.
NIST’s Special Publication 800-171, which went into effect at the end of 2017, lays out the standards non-federal entities — such as contractors, state governments and federal grant recipients — should follow when handling controlled unclassified information, which includes Social Security numbers, names, addresses and sensitive financial information.
Now the clock is ticking for federal contractors to meet the SP 800-171 standards, but defense and civilian contractors are on two separate timelines.
The Defense Department originally set Jan. 1 as the deadline for its contractors to meet the standards of SP 800-171, but then extended the compliance deadline. Instead, DoD mandated that contractors have a plan in place to comply by the original Jan. 1 deadline.
Meanwhile, the General Services Administration has proposed a rule to require civilian contractors to implement the NIST framework. The public comment period for the proposed rule runs from April to June 2018.
“We want to protect that information when it moves from the federal space to the non-federal. It still should be protected the same way that we try to protect it when we have control of it in the federal space,” said Kelley Dempsey, the information security specialist at NIST who co-authored SP 800-171.
Speaking at a panel discussion in Tysons, Virginia, sponsored by StackArmor, Dempsey said the new CUI framework plays a key role when the IRS hands federal tax information off to state internal revenue services, or when colleges and universities need to protect information pertaining to federal grants.
But when it comes to understanding when to label sets of data as CUI, Devin Casey, a program analyst with the National Archives and Records Administration, said he’s seen a good deal of uncertainty.
That uncertainty in an information security system, he added, can prevent authorized users from accessing the information they need.
“We’re all aware that people have been getting access to unclassified controlled information in the government. So we’re failing on the security side. But it’s also important to note there were significant issues internal and external to the government with getting the right people access to the information that we already were protecting,” Casey said. Agencies were having trouble sharing controlled unclassified information from one agency to another because there was no standard government program that they could rely on. They had to do risk assessments and in-depth information sharing agreements just to share from DHS to DoD and back for each type of data that was being shared.”
These information sharing agreement processes, he said, usually were created by agencies and often in “somewhat of a vacuum,” meaning they addressed how to protect information on a system, but frequently left off other key elements of an information security program, like marking and training.
“The government was failing on both sides. We weren’t getting the information to the people who needed it in a timely and expedient fashion and cost-effective manner, and people who weren’t supposed to get it were. That’s why we’re engaging in what’s possibly the largest information security reform since we created the classified program or the Privacy Act.
Looking ahead, NARA is working with GSA to update the Federal Acquisition Regulation (FAR) to meet the CUI requirements.
“We worked a lot with [the Under Secretary of Defense for Acquisition, Technology and Logistics] when they put together the [DFARS] 7012, so you’ll see some similarities between what’s there and what we’re planning,” Casey said.