The federal government released new guidelines June 13 for companies to assess if they comply with requirements to handle controlled but unclassified information.
The National Institute for Standards and Technology released SP 800-171A, which contains more than 100 requirements for companies and agencies to test whether they are in line with federal stipulations to work with sensitive information.
The guidelines are aimed at identifying potential problems in security, singling out environmental weaknesses and prioritizing risk mitigation.
The federal rule to handle controlled unclassified information, or CUI, is laid out in SP 800-171.
Companies who use CUI can either self-test, use a third-party auditor, or in some cases be inspected by government officials, according to Ron Ross, a fellow at NIST. Most companies will elect to self-test.
For each requirement, there is at least one way for a company to analyze if it is federally compliant.
Businesses may be required to examine documentation, interview officials to ensure they retain sufficient knowledge, or test technical capacity to meet just one standard. At times, a requirement may call for a combination of the three methods.
“Organizations also have flexibility in defining the level of rigor and detail associated with the assessment based on the assurance requirements,” the new policy says.
The guidelines follow two previous draft requests for public comment.
Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.