Protecting Controlled Unclassified Information CUI
Overview
Protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations is critical to federal agencies. The suite of guidance (NIST Special Publication (SP) 800-171, SP 800-171A, SP 800-172, and SP 800-172A) focuses on protecting the confidentiality of CUI and recommends specific security requirements to achieve that objective.
- May 14, 2024: NIST publishes the final versions of SP 800-171r3 (Revision 3), Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and SP 800-171Ar3, Assessing Security Requirements for Controlled Unclassified Information. Other supplemental resources to assist implementers include an analysis of changes between SP 800-171r2 and SP 800-171r3, a CUI Overlay that shows the direct SP 800-53 control item tailoring for the CUI security requirements, and an FAQ. Users can also access the security requirements and assessment procedures through the Cybersecurity and Privacy Reference Tool (CPRT).
- February 21, 2024: NIST issues a summary and analysis of the comments received on SP 800-171r3 (final public draft) and SP 800-171Ar3 (initial public draft). Additionally, the current (final) versions of SP 800-171r2, SP 800-171A, SP 800-172, and SP 800-172A are now available in Cybersecurity and Privacy Reference Tool.
- February 6, 2024: Comments received on SP 800-171r3 (fpd) and SP 800-171Ar3 (ipd) are posted.
- December 14, 2023: NIST announces an extension of the public comment period on both the final public draft (fpd) of SP 800-171r3 and initial public draft (ipd) of SP 800-171Ar3 to January 26, 2024 and opens registration for a free webinar, Critical Updates to NIST's CUI Publications: What You Need to Know, on January 10, 2024 from 1 p.m. to 2 p.m. EST.
NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, provides a set of recommended security requirements for protecting the confidentiality of CUI.
NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, provides assessment procedures and a methodology to conduct assessments of the CUI security requirements in NIST SP 800-171.
NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171, provides enhanced security requirements to help protect CUI associated with critical programs or high value assets in nonfederal systems and organizations from the advanced persistent threat (APT).
NIST SP 800-172A, Assessing Enhanced Security Requirements for Controlled Unclassified Information, provides assessment procedures and a methodology to conduct assessments of the enhanced security requirements in NIST SP 800-172.
Project Links
Additional Pages
Created June 13, 2019, Updated June 06, 2024