Although the Government has long recognized the need for security measures to protect sensitive government information residing on contractor information systems, it has struggled to adopt a unified approach to contractor data security. In recent years, guidance for securing "sensitive but unclassified" information on non-federal information systems has been inconsistent, with multiple agencies addressing the protection of federal information in materially different and sometimes conflicting ways.
On November 18, 2014, the U.S. Department of Commerce's National Institute of Standards and Technology ("NIST") released a draft version of NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ("SP 800-171"). As part of a larger initiative to comply with Executive Order 13556, the new publication aims to provide clear, government-wide security requirements for "controlled unclassified information," primarily by implementing security requirements and controls from prior NIST guidance and tailoring them specifically for nonfederal entities. The Government also anticipates establishing a single FAR clause that will apply the requirements of SP 800-171 to contractors. In exigent circumstances, agencies are permitted to reference SP 800-171 in a contract-specific requirement until promulgation of a final FAR clause. NIST is accepting comments on the draft document through January 16, 2015.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.