I recently authored an article for Law360 outlining the set of updated guidelines issued by the National Institute of Standards and Technology (NIST) intended to guide government contractors that handle confidential unclassified information (CUI).

As I explained in the article, these new guidelines are an “ongoing effort to clarify specific technical and nontechnical requirements, increase flexibility for federal contractors implementing cyber programs, and strengthen defenses as the cyber threat environment rapidly evolves.”

Some of the new changes that will help contractors deal with the rapidly evolving landscape of cybersecurity include:

  1. Three new families of security requirements: planning, system and services acquisition, and supply chain risk management.
  2. Tailoring category reassignments: Tailoring is the process by which a set of baseline security controls are modified to better fit a certain system or environment.
  3. Introduction of organization-defined parameters (ODP): ODPs allow for the customization of designated parameters by federal organizations to support specific organizational missions or business functions, and to manage risk.

I summarized the new guidelines by saying “the overhaul been a very intentional and iterative process aimed at increasing the understanding, ease of compliance and conciseness of security requirements to protect CUI in nonfederal systems and organizations.” The full article, “What’s New In NIST Revised Sensitive Info Security Guidelines,” was published by Law360 on May 26 and is available online (subscription required). I also wrote on this topic for a previous blog post available here.