NIST adds flexibility, digital format to security requirements for federal contractors

The U.S. National Institute of Standards and Technology has updated its guidance for how businesses working with the federal government should protect sensitive data with biometrics and other digital technologies.

NIST issued the new “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” (NIST Special Publication 800-171, Revision 3), and companion document “Assessing Security Requirements for Controlled Unclassified Information” (NIST SP 800-171A, Revision 3) based on its source catalog of security and privacy controls, as outlined in SP 800-53 and SP 800-53A, according to an announcement.

The controls laid out over the 120 pages of SP 800-171 address comprehensive security requirements for federal contractors, from access control to awareness and training, risk assessment to maintenance and incident response. Biometrics are not necessarily required, but are noted among possible technologies for use in identification and authentication, particularly for multi-factor authentication, in authenticator management and physical access control.

SP 800-171r3 updates the guidance for consistency with SP 800-53r5. It provides restructured security requirements to match the controls specified in SP 800-53r5, introduces organization-defined parameters (ODPs), streamlined criteria for tailoring, and recategorized controls based on those criteria. SP 800-171Ar3 adjusts the terminology for assessment procedures to line with the security and privacy controls and builds in ODPs. An FAQ explains that the purpose of ODPs is “to provide flexibility to federal agencies in tailoring controls to support specific organizational missions or business functions and to manage risk.”

The safeguards are now available in machine-readable formats like JSON and Excel through NIST’s Cybersecurity and Privacy Reference Tool.

“Toolmakers often want to import relevant sections of the guidance directly into an electronic form for easier reference and use,” says NIST’s Ron Ross, one of the authors of the revised document. “Providing the guidance in these additional formats will allow them to do that. It will help a wider group of users to understand the requirements and implement them more quickly and efficiently.”

Article Topics

biometrics  |  cybersecurity  |  data protection  |  digital identity  |  NIST  |  standards  |  U.S. Government