NIST issues new guidelines on protecting unclassified data in government systems

The federal ecosystem was supplied with a new set of security standards on Tuesday aimed at protecting the unauthorized transmission of sensitive unclassified information that’s frequently exchanged between agencies and private sector contractors.

The release from the National Institute of Standards and Technology updates the 2020 iteration of the document, adding three new families of security controls to the government’s Controlled Unclassified Information program that sets benchmarks for how federal agencies should safeguard sensitive unclassified data stored in their systems.

Chief among the new additions is a supply chain risk management framework that further considers frequent collaboration between federal agencies and private sector vendors that provide the government with software, equipment and training needed for everyday tasks. The other new families include an acquisition section for outside service providers, as well as an overarching supervision section to help agencies plan ahead for additional security controls.

Under the updated NIST standards, the U.S. government will have a year to transition existing operations to the new CUI caliber, while new federal programs will have to meet the threshold right out of the gate. Dozens of data types fall under CUI, including personal military records, export control research and internal intelligence community data.

The CUI label is used for internal agency or Department of Defense data for information not deemed sensitive enough to be “classified” in a way that allows only those with security clearances to access the information but does pose risks if not protected.

Agencies and contractors often transfer data across devices or take their work home with them, and NIST believes a compromise of that data poses national security risks. CUI can range from personal health information in an agency’s HR system to weapon systems documentation in the Pentagon, said Ron Ross, a co-author of the new framework who serves as a NIST fellow focusing on federal cybersecurity and risk management.

Supply chain cyberattacks involve a hacker using vulnerabilities in a third-party entity to breach the systems of another organization. In the case of the federal ecosystem, if U.S. data makes its way into an outside service or security provider, it may be vulnerable to hackers if not adequately protected.

“We’re building a very complex infrastructure of information systems,” he said in a phone call with Nextgov/FCW ahead of the guidelines’ release. “You’re talking about trillions of lines of code and billions of devices from industrial control systems to enterprise IT systems, devices … firmware and software.”

No single cyber incident motivated NIST to add a supply chain family to its new framework, but federal public-private partnerships mean “we have to ensure this information is protected,” Ross said.

For example, supply chain cyberattacks last year involved a vulnerability in the MOVEit file transfer software that affected thousands of organizations around the world, as well as a separate incident where North Korea-linked hackers breached the 3CX conferencing app through a capital markets trading platform.

More recently, Microsoft came under fire for vulnerabilities that allowed Russian hackers to exfiltrate agency email exchanges with the company. The tech giant was also the subject of a scathing DHS oversight report following a hack last summer that allowed Chinese hackers to nab the emails of top U.S. officials including Commerce Secretary Gina Raimondo.

“[CUI] has one common characteristic — the adversary knows this information has great value, especially things in research and development, which may take us years and years of very significant investment,” Ross said. “And if adversaries can steal the information and turn it into the next generation weapon system on their side, they don’t have to invest all that money in their R&D,” he said. 

The CUI framework was born out of an Obama-era executive order that established the program to help agencies manage and protect their internal information. It gave the National Archives oversight of the program, which manages CUI designations to this day.