U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

NIST SP 800-171 Rev. 3 (Final Public Draft)

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Date Published: November 9, 2023
Comments Due: January 12, 2024
Email Comments to: 800-171comments@list.nist.gov

Author(s)

Ron Ross (NIST), Victoria Pillitteri (NIST)

Announcement

This update to NIST SP 800-171 represents over one year of data collection, technical analyses, customer interaction, redesign, and development of the security requirements and supporting information for the protection of Controlled Unclassified Information (CUI). Many trade-offs have been made to ensure that the technical and non-technical requirements have been stated clearly and concisely while also recognizing the specific needs of both federal and nonfederal organizations.

In response to the 1600+ comments received on the initial public draft and its supporting resources, NIST continued to refine the security requirements to:

  1. Reduce the number of organization-defined parameters (ODP)
  2. Reevaluate the tailoring categories and tailoring decisions
  3. Restructure and streamline the discussion sections

Additional files include an FAQ, a detailed analysis of the changes between Revision 2 and Revision 3, and a prototype CUI Overlay.

Concurrently, the initial public draft (ipd) of NIST SP 800-171Ar3 (Revision 3), Assessing Security Requirements for Controlled Unclassified Information, is also available. 

Submit Your Comments

The public comment period is open now through January 12, 2024. We strongly encourage you to use this comment template if possible, and submit it to 800-171comments@list.nist.gov.

Reviewers are encouraged to comment on all or parts of draft NIST SP 800-171, Revision 3. NIST is specifically interested in comments, feedback, and recommendations for the following topics:

  • Re-categorized controls (e.g., controls formerly categorized as NFO)
  • New tailoring criterion (e.g., other related controls [ORC])
  • Inclusion of organization-defined parameters (ODP)
  • New or revised requirements
  • Prototype CUI overlay

Comments received in response to this request will be posted on the Protecting CUI project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed.

Please direct questions and comments to 800-171comments@list.nist.gov.

NOTE: A call for patent claims is included on page iv of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy Inclusion of Patents in ITL Publications.

 

Abstract

Keywords

Controlled Unclassified Information; Executive Order 13556; FIPS Publication 199; FIPS Publication 200; FISMA; NIST Special Publication 800-53; nonfederal organizations; nonfederal systems; organization-defined parameter; security assessment; security control; security requirement
Control Families

None selected