Date Published: May 10, 2023
Comments Due:
Email Questions to:
Author(s)
Ron Ross (NIST), Victoria Pillitteri (NIST)
Announcement
This update to NIST SP 800-171 represents over one year of data collection, technical analyses, customer interaction, redesign, and development of the security requirements and supporting information for the protection of Controlled Unclassified Information (CUI). Many trade-offs have been made to ensure that the technical and non-technical requirements have been stated clearly and concisely while also recognizing the specific needs of both federal and nonfederal organizations.
Significant changes NIST SP 800-171, Revision 3 include:
- Updates to the security requirements and families to reflect updates in NIST SP 800-53, Revision 5 and the NIST SP 800-53B moderate control baseline
- Updated tailoring criteria
- Increased specificity for security requirements to remove ambiguity, improve the effectiveness of implementation, and clarify the scope of assessments
- Introduction of organization-defined parameters (ODP) in selected security requirements to increase flexibility and help organizations better manage risk
- A prototype CUI overlay
Additional files include an FAQ, a detailed analysis of the changes between Revision 2 and Revision 3, and a prototype CUI Overlay.
NIST will also host a webinar on
June 6, 2023 to provide an overview of the significant changes to SP 800-171, Revision 3. Registration information will be announced separately through a GovDelivery announcement and on the
Protecting CUI project site.
Submit Your Comments
The public comment period is open now through July 14, 2023. We strongly encourage you to use this comment template if possible, and submit it to 800-171comments@list.nist.gov.
Reviewers are encouraged to comment on all or parts of draft NIST SP 800-171, Revision 3. NIST is specifically interested in comments, feedback, and recommendations for the following topics:
- Re-categorized controls (e.g., controls formerly categorized as NFO)
- Inclusion of organization-defined parameters (ODP)
- Prototype CUI overlay
Comments received in response to this request will be posted on the Protecting CUI project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed.
Please direct questions and comments to 800-171comments@list.nist.gov.
NOTE: A call for patent claims is included on page ii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.
The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the Federal Government to successfully conduct its essential missions and functions. This publication provides agencies with recommended security requirements for protecting the confidentiality of CUI when the information is resident in nonfederal systems and organizations, when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency, and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category listed in the CUI Registry. The requirements apply to components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components. The security requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.
The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the Federal Government to successfully conduct its essential missions and functions. This publication...
See full abstract
The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the Federal Government to successfully conduct its essential missions and functions. This publication provides agencies with recommended security requirements for protecting the confidentiality of CUI when the information is resident in nonfederal systems and organizations, when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency, and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category listed in the CUI Registry. The requirements apply to components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components. The security requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.
Hide full abstract
Keywords
basic security requirement; contractor systems; Controlled Unclassified Information; CUI Registry; derived security requirement; Executive Order 13556; FIPS Publication 199; FIPS Publication 200; FISMA; NIST Special Publication 800-53; nonfederal organizations; nonfederal systems; security assessment; security control; security requirement
Control Families
Access Control; Awareness and Training; Audit and Accountability; Configuration Management; Identification and Authentication; Maintenance; Media Protection; Physical and Environmental Protection; Personnel Security; System and Communications Protection; System and Information Integrity
) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)
