Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Pre-Draft Call for Comments: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Date Published: July 19, 2022
Comments Due: September 16, 2022
Email Comments to: 800-171comments@list.nist.gov

Announcement

NIST plans to update the Controlled Unclassified Information (CUI) series of publications, starting with Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. To support this planned update, NIST is issuing this Pre-Draft Call for Comments to solicit feedback from interested parties to improve the publication and its supporting publications, SP 800-171A, SP 800-172, and SP 800-172A.

SP 800-171 was published in June 2015 with minor updates in December 2016 and February 2020. Since the initial publication date, there have been significant changes in the cybersecurity threats, vulnerabilities, capabilities, technologies, and resources that impact the protection of CUI. In addition, there are the experiences of the organizations that have implemented SP 800-171 and its supporting publications. With these changes and opportunities to learn from implementers, NIST seeks feedback about the use, effectiveness, adequacy, and ongoing improvement of the CUI series.

The following is a non-exhaustive list of topics that may be addressed in the call for comments. Comments may also include other topics related to the improvement of the CUI series. NIST will consider all relevant topics in the development of the revised SP 800-171 and its supporting publications.

Use of the CUI Series

1. How organizations are currently using the CUI series (SP 800-171, SP 800-171A, SP 800-172, and SP 800-172A)
2. How organizations are currently using the CUI series with other frameworks and standards (e.g., NIST Risk Management Framework, NIST Cybersecurity Framework, GSA Federal Risk and Authorization Management Program [FedRAMP], DOD Cybersecurity Maturity Model Certification [CMMC], etc.)
3. How to improve the alignment between the CUI series and other frameworks
4. Benefits of using the CUI series
5. Challenges in using the CUI series

Updates for consistency with SP 800-53 Revision 5 and SP 800-53B

6. Impact on the usability and existing organizational implementation (i.e., backward compatibility) of the CUI series if it were updated for consistency with SP 800-53 Revision 5 and the moderate security control baseline in SP 800-53B

Updates to improve usability and implementation

7. Features of the CUI series should be changed, added, or removed. Changes, additions, and removals can cover a broad range of topics, from consistency with other frameworks and standards to rescoping criteria for inclusion of requirements. For example:
   1. Addition of new resources to support implementation: The benefits and challenges of including an SP 800-53 Control Overlay[1] and/or a Cybersecurity Framework Profile Appendix as an alternative way to express the CUI security requirements.
   2. Change to the security requirement tailoring criteria: Impact of modifying the criteria used to tailor [2]the moderate SP 800-53B security control baseline (e.g., the potential inclusion of controls that are currently categorized as NFO – Expected to be routinely satisfied by nonfederal organizations without specification)
8. Any additional ways in which NIST could improve the CUI series

The comment period is open through September 16, 2022. Please submit comments to 800-171comments@list.nist.gov. Comments received in response to this request will be posted on the Protecting CUI project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed.