U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

NIST SP 800-171 Rev. 1 (Initial Public Draft)

Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

Date Published: August 2016
Comments Due: September 16, 2016 (public comment period is CLOSED)
Email Questions to: sec-cert@nist.gov

Author(s)

Ron Ross (NIST), Kelley Dempsey (NIST), Patrick Viscuso (NARA), Mark Riddle (NARA), Gary Guissanie (IDA)

Announcement

Draft Special Publication 800-171, Revision 1, represents a limited update to the original publication released in June 2015. In particular, this update includes:

  • A clarification of the purpose and applicability statement;
  • Minor clarifications, additions, and adjustments to selected CUI requirements;
  • Guidance on the use of system security plans (SSPs) and plans of action and milestones (POAMs) to demonstrate the implementation or planned implementation of CUI requirements by nonfederal organizations;
  • Guidance on federal agency use of submitted SSPs and POAMs as critical inputs to risk management decisions and decisions on whether or not to pursue agreements or contracts with nonfederal organizations;
  • Additional definitions and terms for the glossary; and
  • The implementation of hyperlinks to facilitate ease of use in navigating the document.

Both markup and clean copies of the draft publication are provided to facilitate a more efficient reviewing process. The feedback obtained from this public review will be incorporated into a final publication targeted for release in the Fall 2016.

Abstract

Keywords

Controlled Unclassified Information; CUI Registry; Executive Order 13556; FIPS Publication 199; FIPS Publication 200; FISMA; NIST Special Publication 800-53; Nonfederal Information Systems; Security Control; Security Requirement; Derived Security Requirement; Contractor Information Systems; Security Assessment
Control Families

Access Control; Awareness and Training; Audit and Accountability; Configuration Management; Identification and Authentication; Maintenance; Media Protection; Physical and Environmental Protection; Personnel Security; System and Communications Protection; System and Information Integrity

Documentation

Publication:
Draft SP 800-171 Rev. 1 (pdf)

Supplemental Material:
Mark-up Copy of Draft SP 800-171 Rev. 1 (pdf)

Document History:
08/16/16: SP 800-171 Rev. 1 (Draft)