Date Published:

Comments Due:

Email Questions to:



Author(s)

Ron Ross (NIST), Victoria Pillitteri (NIST), Gary Guissanie (IDA), Ryan Wagner (IDA), Richard Graubart (MITRE), Deborah Bodeau (MITRE)

Announcement

Draft NIST SP 800-171B was developed in the spring of 2019 as a supplement to NIST SP 800-171. This new document offers additional recommendations for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations where that information runs a higher than usual risk of exposure. When CUI is part of a critical program or a high value asset (HVA), it can become a significant target for high-end, sophisticated adversaries (i.e., the advanced persistent threat (APT)). In recent years, these critical programs and HVAs have been subjected to an ongoing barrage of serious cyberattacks, prompting the Department of Defense to request additional guidance from NIST.

The enhanced security requirements are to be implemented in addition to the basic and derived requirements in NIST SP 800-171, since the basic and derived requirements are not designed to address the APT. The enhanced security requirements apply only to components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components when the designated CUI is contained in a critical program or HVA. The enhanced security requirements are only applicable for a nonfederal system or organization when mandated by a federal agency in a contract, grant, or other agreement.

Submitting comments:

Draft SP 800-171B: All public comments received on Draft NIST SP 800-171B will be posted on both the Protecting CUI project and Regulations.gov docket no. NIST-2019-0002 without change or redaction , so commenters should not include information they do not wish to be posted (e.g., personal or business information). We encourage you to use the comment template provided when submitting your comments. Comments on Draft SP 800-171B by July 19, 2019 has been extended to Friday, August 2, 2019. Submit comments to sec-cert@nist.gov.

on Draft NIST SP 800-171B the Protecting CUI project and Regulations.gov docket no. , so commenters should not include information they do not wish to be posted (e.g., personal or business information). We encourage you to use the comment template provided when submitting your comments. sec-cert@nist.gov. DoD Cost Analysis for Draft SP 800-171B: The DoD has completed a cost analysis to provide stakeholders insight into the estimated cost of implementing the enhanced security requirements in Draft NIST SP 800-171B. The cost analysis is available for review and comment at the publication details link below. Please submit any comments regarding the DoD cost analysis review by July 19, 2019 to Regulations.gov docket no. DOD-2019-OS-0072 .

The DoD has completed a cost analysis to provide stakeholders insight into the estimated cost of implementing the enhanced security requirements in Draft NIST SP 800-171B. The cost analysis is available for review and comment at the publication details link below. Regulations.gov docket no. Draft SP 800-171 Rev. 2: The comment period for Revision 2 of SP 800-171 is also open until July 19, 2019 has also been extended to Friday, August 2, 2019.

NOTE: A call for patent claims is included on page v of Draft SP 800-171B. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.

Abstract The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its essential missions and functions. This publication provides federal agencies with recommended enhanced security requirements for protecting the confidentiality of CUI: (1) when the information is resident in nonfederal systems and organizations; (2) when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and (3) where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category listed in the CUI Registry. The enhanced requirements apply only to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components when the designated CUI is contained in a critical program or high value asset. The enhanced requirements supplement the basic and derived security requirements in NIST Special Publication 800-171 and are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations. The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its essential missions and functions. This publication... See full abstract

Hide full abstract The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its essential missions and functions. This publication provides federal agencies with recommended enhanced security requirements for protecting the confidentiality of CUI: (1) when the information is resident in nonfederal systems and organizations; (2) when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and (3) where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category listed in the CUI Registry. The enhanced requirements apply only to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components when the designated CUI is contained in a critical program or high value asset. The enhanced requirements supplement the basic and derived security requirements in NIST Special Publication 800-171 and are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations. Keywords advanced persistent threat ; basic security requirement ; contractor systems ; Controlled Unclassified Information ; CUI Registry ; derived security requirement ; enhanced security requirement ; Executive Order 13556 ; FIPS Publication 199 ; FIPS Publication 200 ; FISMA ; NIST Special Publication 800-53 ; nonfederal organizations ; nonfederal systems ; security assessment ; security control ; security requirement

Control Families

None selected