This is a potential security issue, you are being redirected to https://csrc.nist.gov.
Date Published: July 19, 2022
Comments Due: September 16, 2022 (public comment period is CLOSED)
Email Questions to: email@example.com
Planning Note (11/1/2022):
We have posted an analysis of public comments received. During the 90-day public comment period, more than 60 individuals and organizations submitted comments describing how they use the CUI series and provided feedback on potential updates for consistency with SP 800-53, Revision 5, and SP 800-53B. The comments also addressed implementation and usability issues and provided other suggestions to improve the publication.
NIST plans to update the Controlled Unclassified Information (CUI) series of publications, starting with Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. To support this planned update, NIST is issuing this Pre-Draft Call for Comments to solicit feedback from interested parties to improve the publication and its supporting publications, SP 800-171A, SP 800-172, and SP 800-172A.
SP 800-171 was published in June 2015 with minor updates in December 2016 and February 2020. Since the initial publication date, there have been significant changes in the cybersecurity threats, vulnerabilities, capabilities, technologies, and resources that impact the protection of CUI. In addition, there are the experiences of the organizations that have implemented SP 800-171 and its supporting publications. With these changes and opportunities to learn from implementers, NIST seeks feedback about the use, effectiveness, adequacy, and ongoing improvement of the CUI series.
The following is a non-exhaustive list of topics that may be addressed in the call for comments. Comments may also include other topics related to the improvement of the CUI series. NIST will consider all relevant topics in the development of the revised SP 800-171 and its supporting publications.
Use of the CUI Series
Updates for consistency with SP 800-53 Revision 5 and SP 800-53B
Updates to improve usability and implementation
 The term overlay is a specification of security or privacy controls, control enhancements, supplemental guidance, and other supporting information employed during the tailoring process that is intended to complement (and further refine) security control baselines. The overlay specification may be more stringent or less stringent than the original security control baseline specification and can be applied to multiple information systems.
 The term tailoring is the process by which control baselines are modified by (1) identifying and designating common controls, (2) applying scoping considerations on the applicability and implementation of SP 800-53B baseline controls, (3) selecting compensating controls, (4) assigning specific values to organization-defined control parameters, (5) supplementing baselines with additional controls or control enhancements, and (5) providing additional specification information for control implementation.
Access Control; Audit and Accountability; Awareness and Training; Configuration Management; Identification and Authentication; Maintenance; Media Protection; Personnel Security; Physical and Environmental Protection; System and Communications Protection; System and Information Integrity
Protecting CUI project
Public Comments Received (web)
Analysis of Public Comments (pdf)
07/19/22: SP 800-171 Rev. 3 (Draft)
Security and Privacy
audit & accountability; awareness training & education; maintenance; security controls; threats
Laws and Regulations
Federal Acquisition Regulation; Federal Information Security Modernization Act