NIST has published the final versions of Special Publication (SP) 800-171r3 (Revision 3), Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and SP 800-171Ar3, Assessing Security Requirements for Controlled Unclassified Information. The security requirements and assessment procedures have been issued concurrently through the Cybersecurity and Privacy Reference Tool (CPRT) to give users additional ways to access the datasets (i.e., via browser, download as spreadsheet, and JSON).
Major updates to SP 800-171r3 include refinements for consistency with SP 800-53r5, such as:
SP 800-171r3 provides additional outcome-oriented guidance to reduce ambiguity and better support implementation.
NIST is also issuing a CUI Overlay that shows the direct SP 800-53 control item tailoring for the CUI security requirements. Other supplemental resources to assist implementers include an analysis of changes between SP 800-171r2 and SP 800-171r3 and an FAQ.
Similarly, SP 800-171Ar3 includes updates for consistency with the corresponding SP 800-171r3 security requirements and the source SP 800-53Ar3 assessment procedures, including:
In response to the feedback received during the public comment period, additional guidance on conducting security requirement assessments was also included, and a one-time “revision number” change was made for consistency and alignment with SP 800-171r3.
NIST plans to release additional resources through the Online Informative References (OLIR), including crosswalks between SP 800-171r3 and SP 800-53r5, and the Cybersecurity Framework 2.0.
NIST has also issued a News Article, NIST Finalizes Updated Guidelines for Protecting Sensitive Information, about the release.
For more information about the NIST Protecting CUI Project and other resources, see:
https://csrc.nist.gov/Projects/protecting-controlled-unclassified-information. Please direct questions and comments to sec-cert@nist.gov.
Security and Privacy: assurance, risk assessment, security controls
Laws and Regulations: Federal Information Security Modernization Act