Final guidance (SP 800-171) from the National Institute of Standards and Technology on protecting sensitive federal information on nonfederal information systems “will prove important, perhaps profound, as the nation seeks to improve its cyber defenses,†said an attorney who specializes in government contracts. The guidance addresses protecting “controlled unclassified information†(CUI) in nonfederal information systems and organizations, such as contractors, state and local governments and colleges and universities. NIST developed the guidance in collaboration with the National Archives and Records Administration (NARA), which administers the CUI program. The next step is for either NARA or other federal agencies to provide solicitation requirements and contract clauses regarding contractors’ obligation to use SP 800-171.