In a move to enhance the protection of sensitive unclassified information, the National Institute of Standards and Technology (NIST) has released new draft guidelines that will govern the handling of controlled unclassified information (CUI) by federal agencies. The updated standards, once implemented, will also apply to federal contractors and subcontractors responsible for government data.
The revised guidelines aim to establish consistent information security measures for members of the defense industrial base and other government contractors. Ron Ross, an author of the publication and a NIST fellow, emphasized that the additional requirements specifically address the escalating threats to CUI, which has increasingly become a target of state-level espionage. With the evolving threat landscape, the objective is to implement and maintain robust defenses aligned with the latest best practices.
Ross further explained that the new guidelines have been designed to provide contractors with a clearer understanding of federal cybersecurity practices, as well as the rationale behind them. By offering more comprehensive and unambiguous details, the intention is to equip contractors with the necessary knowledge to comply with the standards effectively.
While CUI falls below the level of classified information, federal agencies have recognized the need for heightened protection in recent years. Notably, the Department of Defense's (DOD) forthcoming Cybersecurity Maturity Model Certification (CMMC) will require defense contractors handling CUI to meet specific NIST cybersecurity standards. Similar requirements might also be implemented for civilian agencies in the near future.
Stacy Bostjanick, the leader of the DOD's CMMC program, revealed that a new Federal Acquisition Regulation rule will incorporate NIST's special publications 800-171 and 800-172. The recently published draft guidance is the third iteration of NIST's 800-171.
To ensure comprehensive input from the public, NIST has invited comments on the draft guidelines until July 14. The engagement of stakeholders in the review process is crucial for refining and finalizing the guidelines to establish robust protection mechanisms for sensitive unclassified information. Ilona Cohen, Chief Legal and Policy Officer at HackerOne, shared support for the U.S. government's support of VDPs and insights on what the updated guidance means for organizations:
"The U.S. government continues to go all in on their endorsement of vulnerability disclosure programs (VDPs). This recent guidance from NIST is yet another recognition of the value that VDPs offer to federal agencies and other organizations. The guidelines call VDPs, 'one of the best ways' to 'become aware of issues’ and ‘help reduce known security vulnerabilities.’
For years, HackerOne has proudly worked with government agencies, including the Pentagon, who have already experienced significant positive impact from VDPs and the security researcher community. We hope all companies follow these best practices for VDPs, that federal contractors keep pace with agencies on this vital security practice, and that we’ll continue to see the expansion of VDP-adoption."