Date Published: July 19, 2022
Comments Due:
Email Questions to:
Planning Note (11/01/2022):
We have posted an analysis of public comments received. During the 90-day public comment period, more than 60 individuals and organizations submitted comments describing how they use the CUI series and provided feedback on potential updates for consistency with SP 800-53, Revision 5, and SP 800-53B. The comments also addressed implementation and usability issues and provided other suggestions to improve the publication.
Announcement
NIST plans to update the Controlled Unclassified Information (CUI) series of publications, starting with Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. To support this planned update, NIST is issuing this Pre-Draft Call for Comments to solicit feedback from interested parties to improve the publication and its supporting publications, SP 800-171A, SP 800-172, and SP 800-172A.
SP 800-171 was published in June 2015 with minor updates in December 2016 and February 2020. Since the initial publication date, there have been significant changes in the cybersecurity threats, vulnerabilities, capabilities, technologies, and resources that impact the protection of CUI. In addition, there are the experiences of the organizations that have implemented SP 800-171 and its supporting publications. With these changes and opportunities to learn from implementers, NIST seeks feedback about the use, effectiveness, adequacy, and ongoing improvement of the CUI series.
The following is a non-exhaustive list of topics that may be addressed in the call for comments. Comments may also include other topics related to the improvement of the CUI series. NIST will consider all relevant topics in the development of the revised SP 800-171 and its supporting publications.
Use of the CUI Series
- How organizations are currently using the CUI series (SP 800-171, SP 800-171A, SP 800-172, and SP 800-172A)
- How organizations are currently using the CUI series with other frameworks and standards (e.g., NIST Risk Management Framework, NIST Cybersecurity Framework, GSA Federal Risk and Authorization Management Program [FedRAMP], DOD Cybersecurity Maturity Model Certification [CMMC], etc.)
- How to improve the alignment between the CUI series and other frameworks
- Benefits of using the CUI series
- Challenges in using the CUI series
Updates for consistency with SP 800-53 Revision 5 and SP 800-53B
- Impact on the usability and existing organizational implementation (i.e., backward compatibility) of the CUI series if it were updated for consistency with SP 800-53 Revision 5 and the moderate security control baseline in SP 800-53B
Updates to improve usability and implementation
- Features of the CUI series should be changed, added, or removed. Changes, additions, and removals can cover a broad range of topics, from consistency with other frameworks and standards to rescoping criteria for inclusion of requirements. For example:
- Addition of new resources to support implementation: The benefits and challenges of including an SP 800-53 Control Overlay [1] and/or a Cybersecurity Framework Profile Appendix as an alternative way to express the CUI security requirements.
- Change to the security requirement tailoring criteria: Impact of modifying the criteria used to tailor [2] the moderate SP 800-53B security control baseline (e.g., the potential inclusion of controls that are currently categorized as NFO – Expected to be routinely satisfied by nonfederal organizations without specification)
- Any additional ways in which NIST could improve the CUI series
The comment period is open through September 16, 2022. Please submit comments to
800-171comments@list.nist.gov. Comments received in response to this request will be posted on the
Protecting CUI project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed.
[1] The term overlay is a specification of security or privacy controls, control enhancements, supplemental guidance, and other supporting information employed during the tailoring process that is intended to complement (and further refine) security control baselines. The overlay specification may be more stringent or less stringent than the original security control baseline specification and can be applied to multiple information systems.
[2] The term tailoring is the process by which control baselines are modified by (1) identifying and designating common controls, (2) applying scoping considerations on the applicability and implementation of SP 800-53B baseline controls, (3) selecting compensating controls, (4) assigning specific values to organization-defined control parameters, (5) supplementing baselines with additional controls or control enhancements, and (5) providing additional specification information for control implementation.
Control Families
Access Control; Awareness and Training; Audit and Accountability; Configuration Management; Identification and Authentication; Maintenance; Media Protection; Physical and Environmental Protection; Personnel Security; System and Communications Protection; System and Information Integrity
) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)
