If you are a government contractor that must maintain an information system for the government under a contract, you will want to take note of a recent document issued by the National Institute of Standards and Technology (NIST) of the U.S. Department of Commerce: “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” NIST Special Publication 800-171.
Executive Order 13556, which was issued on November 4, 2010, designated the National Archives and Records Administration (NARA) as the government agency responsible for developing regulations for the government’s programs, including computer and physical security, for controlled unclassified information (CUI). Indeed, NARA is expected to issue such a regulation later this year. The proposed regulation is available here.
New regulation in the offing
In 2016, NARA is expected to sponsor a single Federal Acquisition Regulation (FAR) clause that will apply the CUI requirements to contractors. This action should benefit a substantial number of contractors that are attempting to comply with the current multiplicity of confusing contract clauses.
Compliance with NIST Special Publication 800-171 may be required in federal contracts consistent with federal law and regulatory requirements.
At the very least, this document represents a threshold requirement for physical and computer security with CUI, and contractors should therefore examine its requirements. If a business is not in compliance with these requirements, it’s probably at risk of having confidential information “hacked” or stolen—regardless of whether a federal contract is involved. Furthermore, if these very basic requirements are not being used to protect a business’ trade secrets, a court might consider the information not to be secret and would therefore find it unprotected as a trade secret.
Examples of some of the NIST requirements
The following are some of the basic physical access requirements that the NIST document requires and that we recommend you have in place to protect your trade secrets:
- Limiting physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
- Protecting and monitoring the physical facility and support infrastructure for those information systems.
- Escorting visitors and monitoring visitor activity.
- Maintaining logs of physical access.
- Having devices that limit physical access.
Definition of CUI
Some government information is available to the public. Classified information is defined by Executive Order 13526 (issued December 29, 2009) or the Atomic Energy Act of 1954 and is required to have classified markings and protection against unauthorized disclosure. CUI is information that is not publicly available, does require safeguarding or dissemination controls, but is not classified. The whole point of the NARA project is to define exactly what that is. Some examples:
- Not CUI: Executive Order 13526 is not CUI because it’s publically available. (You may have just proved this by downloading a copy.)
- CUI: The password to the Government Publications Office (GPO) website from which you downloaded Executive Order 13526 is CUI. It’s not top secret, but the GPO doesn’t want just anyone posting documents on its website. (It might be embarrassing, to say the least.)
- Not CUI: The passwords that allow the President to launch a nuclear attack are classified and are not CUI.
Bottom-line for government contractors
To some extent, the NIST standard incorporates some basic common-sense procedures designed to increase business security. By becoming familiar with the NIST standard, government contractors will not be caught by surprise when the FAR regulation is adopted.
Items on this web page are general in nature. They cannot—and should not—replace consultation with a competent legal professional. Nothing on this web page should be considered rendering legal advice.