Contractors Could Get New Rules for Handling Sensitive Government Data


The published draft requirements are for nonfederal groups with access to “controlled unclassified information”.

Private sector government contractors may soon be subjected to new rules for managing sensitive federal information.  

The National Institute of Standards and Technology recently published draft requirements for federal and nonfederal groups with access to “controlled unclassified information” -- a subset of confidential information that, while not classified, must still be protected. The Commerce Department agency is accepting public comments on the draft until May 12, 2015.

These requirements are meant to supplement rules under the Federal Information Security Management Act, which governs how federal agencies (and contractors, on their behalf) manage their own data in their own information systems, according to NIST fellow Ron Ross.

The new guidance aims to cover situations not explicitly mentioned in FISMA -- for instance, when state and local governments, colleges and universities, or private organizations happen to receive federal CUI data through a contract or an agreement. 

"The concern is that there are appropriate levels of protection for information when it's in that type of [environment] -- we call that a nonfederal information system in a nonfederal organization," Ross said. 

Requirements outlined in the draft include limiting information system access to authorized users; separating the duties of individuals with access to the information, to reduce the risk of malevolent activity without their collusion; and making sure managers, systems administrators, and others are aware of security risks, policies and standards associated with the information they access, among several others.

A 2010 executive order established the Controlled Unclassified Information Program, which aims to standardize how the federal government handles protected information. The National Archives and Records Administration, an independent agency working with NIST, was tasked with implementing that program.

Ross said these rules won't become mandatory until they become part of the Federal Acquisition Regulation; eventually, the requirements might be regularly added into contractual agreements with the federal government. 

Final publication of these rules are targeted for June 2015, after the public comment period, the notice said. 

(Image via Mmaxer/