NARA Final Rule

min read

(October 14, 2016 – Jennifer Ortega) On September 14, the National Archives and Records Administration (NARA) issued its final rule implementing Executive Order (EO) 13556, which called for the creation of a single definition of Controlled Unclassified Information (CUI) for all federal agencies to follow and gave NARA the role of establishing that definition through the creation of “an open and uniform program for managing information that requires safeguarding or dissemination controls.” This was done to replace the previous patchwork of controls independently developed and used by various federal agencies.

NARA’s final rule incorporates by reference the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171, along with additional safeguarding standards. It states that those standards must be applied to all systems that maintain CUI, which is defined as any unclassified information provided by the federal government to another entity requiring “safeguarding or dissemination controls… consistent with applicable laws, regulations, and government-wide policies.” While NARA’s rule only applies to federal agencies, inclusion of these standards is required in any and all procurement contracts issued by those agencies; it will therefore filter down to contractors and subcontractors, including higher education institutions that maintain CUI on behalf of the federal government.

In the final rule, NARA specifically referenced comments submitted by the higher education community, but it disregarded college and university arguments that SP 800-171 should not apply to CUI stored in their systems. NARA explained that it expects all entities holding CUI to abide by the standards.

The final rule goes into effect on November 14, 2016.


Jen Ortega serves as a consultant to EDUCAUSE on federal policy and government relations. She has worked with EDUCAUSE since 2013 and assists with monitoring legislative and regulatory proposals across a range of policy areas, including cybersecurity, data privacy, e-learning, and accessibility.