Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

DRAFT Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations
April 02, 2015

NIST announces the release of Special Publication 800-171Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations (Final Public Draft). (NOTE: This draft has been since approved as final as of June 2015)
 
The protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations. This publication provides federal agencies with recommended requirements for protecting the confidentiality of CUI: (i) when the CUI is resident in nonfederal information systems and organizations; (ii) where the CUI does not have specific safeguarding requirements prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry; and (iii) when the information systems where the CUI resides are not operated by organizations on behalf of the federal government. The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations. 
 
The final draft of NIST Special Publication 800-171 contains some significant changes based on the comments received from both the public and private sectors. The changes include:

  • Clarifying the purpose, scope, and applicability of the publication;
  • Defining the underlying assumptions and expectations for federal agencies and nonfederal organizations in applying the recommended CUI security requirements;
  • Explaining how the publication relates to the Controlled Unclassified Information (CUI) federal rule and the Federal Acquisition Regulation (FAR) clause to be sponsored by the National Archives and Records Administration (NARA);
  • Adjusting the CUI security requirements to ensure complete coverage and traceability to federal policies, standards, and guidance;
  • Providing tables that illustrate the mapping of CUI security requirements to security controls in NIST Special Publication 800-53 and ISO /IEC 27001;
  • Providing tables that illustrate the tailoring actions on the NIST Special Publication 800-53 moderate security control baseline; and
  • Adding guidance on using the content of the mapping tables to support implementation of the NIST Framework for Improving Critical Infrastructure Cybersecurity.

The final publication of SP 800-171 is targeted for June 2015 after the final public comment period. Questions? Send email to sec-cert@nist.gov. Comment period CLOSED on: May 12, 2015

Created December 21, 2016, Updated April 25, 2017