Jul 312015

NIST Releases New and Updated Information Security Guidance

Colleen Theresa Brown and Edward R. McNicholas
, ,

In an effort to address growing concerns about security vulnerabilities in both the public and private sectors, the National Institute of Standards and Technology (NIST) has released a flurry of new and updated information security recommendations.  The latest recommendations address protections for sensitive data held by federal contractors, encryption standards, and security for federal Smart ID cards.

Special Publication 800-171, titled Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, provides guidance on protecting “controlled unclassified information” (“CUI”) that is processed, stored, or transmitted by nonfederal organizations using nonfederal information systems. NIST issued the guidance in conjunction with the National Archives and Records Administration (NARA) pursuant to Executive Order 13556, which requires the two agencies to issue directives as necessary to protect such information.

The guidance provides security requirements for CUI in fourteen different areas: access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.  However, NIST stresses that the publication is not intended to supersede or displace other requirements for protecting CUI; rather, it is meant to express existing CUI security requirements in a more tailored, easy-to-follow format. The guidance helpfully includes an appendix mapping the tailored security requirements to the two existing applicable standards: NIST SP 800-53, and ISO/IEC 27001.

NIST has also updated its encryption standards to remove an algorithm known as the Dual Elliptic Curve random number generator (Dual_EC_DRG) from its list of acceptable encryption algorithms. This algorithm had been the target of controversy after the media reported in 2013 that the National Security Agency (NSA) exploited a weakness in this algorithm to access encrypted information.

Earlier this summer, NIST also has released draft updates to technical specifications for federal employee personal identification verification (“PIV”) cards for public comment.  These include a draft Special Publication for PIV Card Application and Middleware Interface Test Guidelines, focusing on new encryption specifications for next-generation PIV cards, and a draft Interagency Report, Derived Personal Identity Verification Credentials Proof of Concept Research, exploring, among other points, the possibilities for advanced security and verification techniques through PIV cards compatible with smart phones.

Collectively, NIST’s new and updated guidance reflects a broader push in the government to tighten information security controls following a rapid increase in security breaches, and in particular, the massive Office of Personnel Management breach that compromised the information of over 20 million current and former federal employees. Although the recent publications are largely labeled as “guidance” documents, contractors should take care to adhere to the new recommendations which may be incorporated into contractual obligations, and as enforcement agencies may seek to argue that NIST guidance should be the appropriate standard of care in securing government information.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Edward R. McNicholas

emcnicholas@sidley.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.

FINRA Issues 2023 Report on Its Examination and Risk Monitoring Program

On January 10, 2023, the Financial Industry Regulatory Authority (FINRA) published its 2023 Report on its Examination and Risk Monitoring Program (the Report).1 The 75-page Report includes four new topic areas for 2023: (1) manipulative trading, (2) fixed income — fair pricing, (3) fractional shares — reporting and order handling, and (4) Regulation SHO.