The protection of Controlled Unclassified Information (CUI) in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its assigned missions and business operations. The suite of guidance (NIST Special Publication (SP) 800-171, SP 800-171A, and SP 800-171B) focuses on protecting the confidentiality of CUI, and recommends specific security requirements to achieve that objective. It does not change the information security requirements set forth in Federal Information System Modernization Act (FISMA), nor does it alter the responsibility of federal agencies to comply with the full provisions of the statute, the policies established by OMB, and the supporting security standards and guidelines developed by NIST.
Security Requirements for Protecting CUI
NIST SP 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, provides federal agencies with a set of recommended security requirements for protecting the confidentiality of CUI when:
- such information is resident in nonfederal systems and organizations;
- when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and
- where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry.
Assessing CUI Security Requirements
NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, provides assessment procedures and a methodology that can be employed to conduct assessments of the CUI security requirements in NIST Special Publication 800-171. The assessment procedures are flexible and can be customized to the needs of the organizations and the assessors conducting the assessments. Security assessments can be conducted as self-assessments; independent, third-party assessments; or government-sponsored assessments and can be applied with various degrees of rigor, based on customer-defined depth and coverage attributes.
Enhanced Security Requirements for Critical Programs and High Value Assets (HVA)
DRAFT NIST SP 800-171B, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets, offers additional recommendations for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations where that information runs a higher than usual risk of exposure. When CUI is part of a critical program or a high value asset (HVA), it can become a significant target for high-end, sophisticated adversaries (i.e., the advanced persistent threat (APT)). The enhanced security requirements in NIST SP 800-171B are supplemental and do not impact the basic and derived security requirements contained in NIST SP 800-171, nor the scope of the implementation of the NIST SP 800-171 security requirements.
Publication Schedule Update: The following publications are on hold pending the review cycle completion of SP 800-53, Revision 5 by the Office of Management and Budget, Office of Information and Regulatory Affairs due to the the dependences on SP 800-53, Revision 5 controls.
For more information on the SP 800-53, Revision 5 publication schedule, see: https://csrc.nist.gov/Projects/Risk-Management/schedule
NIST Special Publication 800-171B, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets