Date Published: June 2019
Comments Due: August 2, 2019 (public comment period is CLOSED)
Email Questions to: sec-cert@nist.gov
, , , , ,
Draft NIST SP 800-171B was developed in the spring of 2019 as a supplement to NIST SP 800-171. This new document offers additional recommendations for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations where that information runs a higher than usual risk of exposure. When CUI is part of a critical program or a high value asset (HVA), it can become a significant target for high-end, sophisticated adversaries (i.e., the advanced persistent threat (APT)). In recent years, these critical programs and HVAs have been subjected to an ongoing barrage of serious cyberattacks, prompting the Department of Defense to request additional guidance from NIST.
The enhanced security requirements are to be implemented in addition to the basic and derived requirements in NIST SP 800-171, since the basic and derived requirements are not designed to address the APT. The enhanced security requirements apply only to components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components when the designated CUI is contained in a critical program or HVA. The enhanced security requirements are only applicable for a nonfederal system or organization when mandated by a federal agency in a contract, grant, or other agreement.
Submitting comments:
NOTE: A call for patent claims is included on page v of Draft SP 800-171B. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.
None selected
Publication:
Draft SP 800-171B
Supplemental Material:
Draft SP 800-171B (with line numbers) (pdf)
Comment template for SP 800-171B (xls)
Comments received on SP 800-171B (@Protecting CUI Project) (other)
DoD cost estimate of Draft SP 800-171B (pdf)
Submit/View comments on DoD cost estimate of Draft SP 800-171B (other)
NIST news article (other)
Other Parts of this Publication:
SP 800-171 Rev. 2 (Draft)
Document History:
06/19/19: SP 800-171B (Draft)
07/06/20: SP 800-172 (Draft)
02/02/21: SP 800-172 (Final)
Security and Privacy
acquisition; advanced persistent threats; audit & accountability; security controls
Laws and Regulations
Federal Acquisition Regulation; Federal Information Security Modernization Act