In a move that is likely to raise the blood pressure for more than a few security professionals up a couple points, the U. S. federal government has now determined that companies need to take responsibility for the applications that they use for handling and storing people’s data.
In June of 2015, the U.S. National Institute of Standards and Technology (NIST) released their latest set of guidelines for the handling of Controlled Unclassified Information (CUI), comprising data like personally identifiable information, banking, and health info, or other sensitive bits of data that one would not want falling into the wrong hands.
The December 31, 2017, due date has come and gone, and yet many organizations are still asking questions about what these guidelines mean for them.
The new recommendations, referred to as NIST 800-171, were laid out in a paper titled “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” which outlined NIST’s expectations for contractors working with the federal government and handle this kind of data.
Derived from Executive Order 13556 that was signed by former President Barack Obama in 2010, NIST’s stated goal in this effort is to bring the “non-federal entities” — read contractors for human speak — that work with the government into line with some of the same standards that the feds have been working towards in recent years.
New Expectations for Application Security
The NIST guidelines cover a wide range of security aspects like access controls, staff training for implementing better security, and plenty of other important best practices.
To get a better handle on where the U.S. government could be headed here, we spoke with NIST Fellow Ron Ross, one of the authors of the publication to discuss the goals and thinking behind the new measures.
Ross first (Read more...)
*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Blog – WhiteSource. Read the original post at: https://resources.whitesourcesoftware.com/blog-whitesource/nist-800-171-sets-new-standards-for-cui-data-protection