The National Institute of Standards and Technology has updated its guidance on protecting sensitive government data stored in systems operated by nonfederal organizations and its guidelines for assessing security requirements for controlled unclassified information.
The updates align the terms used in the two publications with NIST’s source catalog of security and privacy controls and assessment procedures to clarify security requirements and eliminate uncertainty in security requirement assessments, the agency said Tuesday.
“For the sake of our private sector customers, we want our guidance to be clear, unambiguous and tightly coupled with the catalog of controls and assessment procedures used by federal agencies,” said Ron Ross, one of the publications’ authors.
The guidance, titled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” requires federal contractors and other organizations working with the government to protect their systems that host controlled unclassified information from potential adversarial threats.
Meanwhile, its companion publication, SP 800-171A, helps users assess their compliance with the security requirements for the federal government’s non-classified information.