Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

DRAFT Special Publication 800-171, Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations
November 18, 2014

NIST announces the release of Draft Special Publication 800-171Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations (Initial Public Draft). 
 
The protection of sensitive unclassified federal information while residing in non-federal information systems and environments of operation is of paramount importance to federal agencies. Compromises of this information can directly impact the ability of the federal government to successfully carry out its designated missions and business operations. This publication provides federal agencies with recommended requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) as defined by Executive Order 13556, when such information resides in non-federal information systems and organizations. The requirements apply to:

  • Non-federal information systems that are beyond the scope of the systems covered by the Federal Information Security Management Act (FISMA); and 
  • All components of non-federal systems that process, store, or transmit CUI.

The CUI protection requirements were obtained from the security requirements and controls in FIPS Publication 200 and NIST SP 800-53, and then tailored appropriately to eliminate requirements that are:

  • Primarily the responsibility of the federal government (i.e., uniquely federal); 
  • Related primarily to availability; or
  • Assumed to be routinely satisfied by non-federal organizations without any further specification.

Non-federal organizations include, for example: federal contractors; state, local, and tribal governments; and colleges and universities. 
 
This publication is part of a larger initiative by the National Archives and Records Administration (NARA) to fulfill their responsibilities as Executive Agent for Executive Order 13556 for CUI. NARA has a three-part plan to help standardize the naming conventions and protection requirements for sensitive information (designated CUI) both within the federal government and when such information resides in non-federal information systems and organizations. NARA’s plan includes:

  • Incorporating uniform CUI policies and practices into the Code of Federal Regulations;
  • Using NIST SP 800-171 to define requirements to protect the confidentiality of CUI; and
  • Developing a standard Federal Acquisition Regulation (FAR) clause to levy the SP 800-171 security requirements to contractor environments.

Please send comments to sec-cert@nist.gov with "Comments Draft SP 800-171” in the subject line. Comments will be accepted through January 16, 2015.

Created December 21, 2016, Updated April 13, 2017