Protecting Sensitive Federal Information in Your Cloud
In the wake of recent high-profile government breaches of personal information, the feds have published guidelines for protected controlled but unclassified information handled by contractors, which will be incorporated into contracts. The vulnerability of personally identifiable information held by the government has become a high-profile issue in the wake of breaches at the Office of Personnel Management (OPM) and the IRS. It also is an issue for contractors who store, process, or use government data, and who must ensure the security of sensitive information. The National Institute of Standards and Technology (NIST) has published new guidelines [http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf] for protecting Controlled Unclassified Information (CUI) on non-government systems. The guidelines soon will be incorporated into contract language.
Despite the timing of the release, the guidelines in Special Publication 800-171 are not a response to recent breaches. They were developed as the result of an Executive Order on Controlled Unclassified Information [https://www.whitehouse.gov/the-press-office/2010/11/04/executive-order-13556-controlled-unclassified-information] issued in 2010. Its goal is to establish an “open and uniform program for managing information that requires safeguarding . . . .” The National Archives and Records Administration (NARA) oversees the CUI program. NIST developed the guidelines, because that is what NIST does.
NARA plans in 2016 to offer a Federal Acquisition Regulation (FAR) clause that will apply the CUI guidelines to contracts.
What will this mean for agencies acquiring cloud and other computing services and for the contractors providing them? Actually, it probably is good news. The new regulations will standardize requirements that agencies and contractors should already have been following.
Agencies have always been required under FISMA (Federal Information Security Modernization Act) to ensure that contractors’ IT systems meet the same security requirements as federal information systems. That is the whole point of FedRAMP, after all; it provides a vehicle to ease FISMA compliance in the commercial cloud by ensuring that approved platforms meet baseline security requirements. With the new guidelines incorporated into FAR, agencies can easily express just what is expected from a contractor in the way of CUI security.
The guidelines should not include anything new for contractors. They are derived from the Federal Information Processing Standard (FIPS) publication 200 and the moderate security control baseline in NIST’s SP 800-53, which is the foundational publication for FISMA compliance.
The new guidelines cover only confidentiality of information and do not include the full triad of information security, which also includes the integrity and availability of information. The guidelines also are not the final word on protecting CUI; they are a starting point, geared to information requiring a moderate level of controls. Some unclassified information, the results of federal background checks, for instance, might require a higher level of security. Each agency will have to craft its own requirements based on its information security needs.
But the guidelines will provide a common starting point. The requirements cover 14 areas of security:
- Access control
- Awareness and training
- Audit and accountability
- Configuration management
- Identification and authorization
- Incident response
- Media protection
- Personnel security
- Physical protection
- Risk assessment
- Security Assessment
- System and communications protection
- System and information integrity
With increasing attention being given to the security of all government data, regardless of where it is being held, the new guidelines and coming contract language can help contractors ensure that their systems meet the needs and expectations of their customers.
William Jackson is a freelance writer with the Tech Writers Bureau [www.techwritersbureau.com] and the author of The Cybereye. Follow him on Twitter @TheCybereye.