U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

SP 800-171 Rev. 3 (Draft)

Pre-Draft Call for Comments: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Date Published: July 19, 2022
Comments Due: September 16, 2022
Email Comments to: 800-171comments@list.nist.gov

Announcement

NIST plans to update the Controlled Unclassified Information (CUI) series of publications, starting with Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. To support this planned update, NIST is issuing this Pre-Draft Call for Comments to solicit feedback from interested parties to improve the publication and its supporting publications, SP 800-171A, SP 800-172, and SP 800-172A

SP 800-171 was published in June 2015 with minor updates in December 2016 and February 2020. Since the initial publication date, there have been significant changes in the cybersecurity threats, vulnerabilities, capabilities, technologies, and resources that impact the protection of CUI. In addition, there are the experiences of the organizations that have implemented SP 800-171 and its supporting publications. With these changes and opportunities to learn from implementers, NIST seeks feedback about the use, effectiveness, adequacy, and ongoing improvement of the CUI series. 

The following is a non-exhaustive list of topics that may be addressed in the call for comments. Comments may also include other topics related to the improvement of the CUI series. NIST will consider all relevant topics in the development of the revised SP 800-171 and its supporting publications.

Use of the CUI Series

  1. How organizations are currently using the CUI series (SP 800-171, SP 800-171A, SP 800-172, and SP 800-172A)
  2. How organizations are currently using the CUI series with other frameworks and standards (e.g., NIST Risk Management Framework, NIST Cybersecurity Framework, GSA Federal Risk and Authorization Management Program [FedRAMP], DOD Cybersecurity Maturity Model Certification [CMMC], etc.)
  3. How to improve the alignment between the CUI series and other frameworks
  4. Benefits of using the CUI series
  5. Challenges in using the CUI series

Updates for consistency with SP 800-53 Revision 5 and SP 800-53B

  1. Impact on the usability and existing organizational implementation (i.e., backward compatibility) of the CUI series if it were updated for consistency with SP 800-53 Revision 5 and the moderate security control baseline in SP 800-53B

Updates to improve usability and implementation

  1. Features of the CUI series should be changed, added, or removed. Changes, additions, and removals can cover a broad range of topics, from consistency with other frameworks and standards to rescoping criteria for inclusion of requirements. For example:
    1. Addition of new resources to support implementation: The benefits and challenges of including an SP 800-53 Control Overlay [1] and/or a Cybersecurity Framework Profile Appendix as an alternative way to express the CUI security requirements.
    2. Change to the security requirement tailoring criteria: Impact of modifying the criteria used to tailor [2] the moderate SP 800-53B security control baseline (e.g., the potential inclusion of controls that are currently categorized as NFO – Expected to be routinely satisfied by nonfederal organizations without specification)
  2. Any additional ways in which NIST could improve the CUI series
The comment period is open through September 16, 2022. Please submit comments to 800-171comments@list.nist.gov. Comments received in response to this request will be posted on the Protecting CUI project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed.

[1] The term overlay is a specification of security or privacy controls, control enhancements, supplemental guidance, and other supporting information employed during the tailoring process that is intended to complement (and further refine) security control baselines. The overlay specification may be more stringent or less stringent than the original security control baseline specification and can be applied to multiple information systems.

[2] The term tailoring is the process by which control baselines are modified by (1) identifying and designating common controls, (2) applying scoping considerations on the applicability and implementation of SP 800-53B baseline controls, (3) selecting compensating controls, (4) assigning specific values to organization-defined control parameters, (5) supplementing baselines with additional controls or control enhancements, and (5) providing additional specification information for control implementation.

Abstract

Control Families

Access Control; Audit and Accountability; Awareness and Training; Configuration Management; Identification and Authentication; Maintenance; Media Protection; Personnel Security; Physical and Environmental Protection; System and Communications Protection; System and Information Integrity

Documentation

Publication:
Protecting CUI project

Supplemental Material:
None available

Document History:
07/19/22: SP 800-171 Rev. 3 (Draft)