In an effort to address growing concerns about security vulnerabilities in both the public and private sectors, the National Institute of Standards and Technology (NIST) has released a flurry of new and updated information security recommendations. The latest recommendations address protections for sensitive data held by federal contractors, encryption standards, and security for federal Smart ID cards.
Special Publication 800-171, titled Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, provides guidance on protecting “controlled unclassified information” (“CUI”) that is processed, stored, or transmitted by nonfederal organizations using nonfederal information systems. NIST issued the guidance in conjunction with the National Archives and Records Administration (NARA) pursuant to Executive Order 13556, which requires the two agencies to issue directives as necessary to protect such information.
The guidance provides security requirements for CUI in fourteen different areas: access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity. However, NIST stresses that the publication is not intended to supersede or displace other requirements for protecting CUI; rather, it is meant to express existing CUI security requirements in a more tailored, easy-to-follow format. The guidance helpfully includes an appendix mapping the tailored security requirements to the two existing applicable standards: NIST SP 800-53, and ISO/IEC 27001.
NIST has also updated its encryption standards to remove an algorithm known as the Dual Elliptic Curve random number generator (Dual_EC_DRG) from its list of acceptable encryption algorithms. This algorithm had been the target of controversy after the media reported in 2013 that the National Security Agency (NSA) exploited a weakness in this algorithm to access encrypted information.
Earlier this summer, NIST also has released draft updates to technical specifications for federal employee personal identification verification (“PIV”) cards for public comment. These include a draft Special Publication for PIV Card Application and Middleware Interface Test Guidelines, focusing on new encryption specifications for next-generation PIV cards, and a draft Interagency Report, Derived Personal Identity Verification Credentials Proof of Concept Research, exploring, among other points, the possibilities for advanced security and verification techniques through PIV cards compatible with smart phones.
Collectively, NIST’s new and updated guidance reflects a broader push in the government to tighten information security controls following a rapid increase in security breaches, and in particular, the massive Office of Personnel Management breach that compromised the information of over 20 million current and former federal employees. Although the recent publications are largely labeled as “guidance” documents, contractors should take care to adhere to the new recommendations which may be incorporated into contractual obligations, and as enforcement agencies may seek to argue that NIST guidance should be the appropriate standard of care in securing government information.