The National Institute of Standards and Technology (NIST) has released newly updated guidelines for Federal agencies on how to protect their controlled unclassified information (CUI) when it resides on private-sector systems.
The guidance released earlier this week updates guideline set by NIST in 2020 and adds a series of benchmarks to the level of protection that Federal agencies should target.
“The protection of Controlled Unclassified Information (CUI) is of paramount importance to federal agencies and can directly impact the ability of the Federal Government to successfully conduct its essential missions and functions,” stated NIST.
“This publication provides federal agencies with recommended security requirements for protecting the confidentiality of CUI when the information is resident in nonfederal systems and organizations,” the agency said.
The new guidance provides additional guidance for protection of CUI in the context of better supply chain risk management.
“Dependence on the products, systems, and services of external providers and the nature of the relationships with those providers present an increasing level of risk to an organization,” stated NIST. “Threat actions that may increase security risks include unauthorized production, the insertion or use of counterfeits, tampering, poor manufacturing and development practices in the supply chain, theft, and the insertion of malicious software, firmware, and hardware.”
“Managing supply chain risks is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders,” the agency said.
The updated guidance covers other areas including
- Access Control;
- Awareness and Training;
- Audit and Accountability;
- Assessment, Authorization, and Monitoring;
- Configuration Management; and
- Identification and Authentication.
“The requirements apply to components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components. The security requirements are intended for use by Federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations,” stated NIST.
