NIST Updates Guidance on Protecting Sensitive Data for Federal Contractors

The U.S. National Institute of Standards and Technology (NIST) has released updated guidance for businesses working with the federal government on protecting sensitive data. The new publications, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” (NIST SP 800-171, Revision 3) and its companion “Assessing Security Requirements for Controlled Unclassified Information” (NIST SP 800-171A, Revision 3), outline comprehensive security requirements for federal contractors. These updates align with the security controls specified in NIST SP 800-53r5 and include measures such as access control, risk assessment, and incident response.
The guidance, while not mandating biometrics, mentions them as potential technologies for multi-factor authentication and access control. The revisions introduce organization-defined parameters (ODPs) to provide federal agencies with flexibility in tailoring controls to their specific needs. The updated safeguards are available in machine-readable formats like JSON and Excel to facilitate easier integration and implementation.
Ron Ross of NIST highlighted that these formats will help toolmakers and users understand and apply the requirements more efficiently. The updates aim to ensure consistency and clarity in security protocols for protecting controlled unclassified information.