A vast amount of federal information is regularly stored, processed and transmitted by non-federal organizations, like contractors, state and local governments, universities and research organizations. Often, this information is sensitive and if compromised would have a direct negative impact on the functioning of the federal government and an agency’s ability to achieve their mission. Therefore, protecting that information both inside and while outside of federal information systems is critically important.
Since the creation of Executive Order 13566, Controlled Unclassified Information (CUI), in late 2010, government cyber incidents have shown no signs of slowing down. We’ve seen that sophisticated cyber actors are targeting non-federal systems handling government data as a path to high value agency assets.
Requirements for protecting CUI have been derived from four key federal standards and guidelines to maintain consistency across agency and non-federal implementation. This insures standardized reliable protection. The resulting guidance found in NIST SP800-171 aligns to 14 security requirement families. These requirements matrix directly to specific security controls within NIST SP 800-53 and ISO/IEC 27001. Non-federal organizations are instructed to specify in a system security plan how they will meet these requirements.