Publications
July 19, 2023: URLs for CSRC publication details pages have changed. Legacy URLs should automatically redirect to the new URLs. However, links to the actual publications have NOT changed (e.g., DOIs and PDFs on nvlpubs.nist.gov). Please send inquiries to
csrc-inquiry@nist.gov.
Further development of this draft has ceased (December 20, 2016).
Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations
Documentation
Topics
Date Published: August 2016
Comments Due:
Email Questions to:
Author(s)
Ron Ross (NIST), Kelley Dempsey (NIST), Patrick Viscuso (NARA), Mark Riddle (NARA), Gary Guissanie (IDA)
Announcement
Draft Special Publication 800-171, Revision 1, represents a limited update to the original publication released in June 2015. In particular, this update includes:
- A clarification of the purpose and applicability statement;
- Minor clarifications, additions, and adjustments to selected CUI requirements;
- Guidance on the use of system security plans (SSPs) and plans of action and milestones (POAMs) to demonstrate the implementation or planned implementation of CUI requirements by nonfederal organizations;
- Guidance on federal agency use of submitted SSPs and POAMs as critical inputs to risk management decisions and decisions on whether or not to pursue agreements or contracts with nonfederal organizations;
- Additional definitions and terms for the glossary; and
- The implementation of hyperlinks to facilitate ease of use in navigating the document.
Both markup and clean copies of the draft publication are provided to facilitate a more efficient reviewing process. The feedback obtained from this public review will be incorporated into a final publication targeted for release in the Fall 2016.
The protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations. This publication provides federal agencies with recommended requirements for protecting the confidentiality of CUI: (i) when the CUI is resident in nonfederal information systems and organizations; (ii) when the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and (iii) where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry. The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.
The protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business...
See full abstract
The protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations. This publication provides federal agencies with recommended requirements for protecting the confidentiality of CUI: (i) when the CUI is resident in nonfederal information systems and organizations; (ii) when the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and (iii) where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry. The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.
Hide full abstract
Keywords
Controlled Unclassified Information; CUI Registry; Executive Order 13556; FIPS Publication 199; FIPS Publication 200; FISMA; NIST Special Publication 800-53; Nonfederal Information Systems; Security Control; Security Requirement; Derived Security Requirement; Contractor Information Systems; Security Assessment
Control Families
Access Control; Awareness and Training; Audit and Accountability; Configuration Management; Identification and Authentication; Maintenance; Media Protection; Physical and Environmental Protection; Personnel Security; System and Communications Protection; System and Information Integrity