National Institute of Standards and Technology is seeking information for an update of Protecting Controlled Unclassified Information.
July 20, 2022 |
The National Institute of Standards and Technology (“NIST”) is updating the Controlled Unclassified Information (CUI) series of publications, being, firstly:
- Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
- publication SP 800-171A,
- publicationSP 800-172, and
- SP 800-172A.
The topics the NIST is looking to consider in any review are:
Use of the CUI Series
-
- How organizations are currently using the CUI series (SP 800-171, SP 800-171A, SP 800-172, and SP 800-172A)
- How organizations are currently using the CUI series with other frameworks and standards (e.g., NIST Risk Management Framework, NIST Cybersecurity Framework, GSA Federal Risk and Authorization Management Program [FedRAMP], DOD Cybersecurity Maturity Model Certification [CMMC], etc.)
- How to improve the alignment between the CUI series and other frameworks
- Benefits of using the CUI series
- Challenges in using the CUI series
Updates for consistency with SP 800-53 Revision 5 and SP 800-53B
-
- Impact on the usability and existing organizational implementation (i.e., backward compatibility) of the CUI series if it were updated for consistency with SP 800-53 Revision 5 and the moderate security control baseline in SP 800-53B
Updates to improve usability and implementation
-
- Features of the CUI series should be changed, added, or removed. Changes, additions, and removals can cover a broad range of topics, from consistency with other frameworks and standards to rescoping criteria for inclusion of requirements. For example:
- Addition of new resources to support implementation: The benefits and challenges of including an SP 800-53 Control Overlay [1] and/or a Cybersecurity Framework Profile Appendix as an alternative way to express the CUI security requirements.
- Change to the security requirement tailoring criteria: Impact of modifying the criteria used to tailor [2] the moderate SP 800-53B security control baseline (e.g., the potential inclusion of controls that are currently categorized as NFO – Expected to be routinely satisfied by nonfederal organizations without specification)
- Any additional ways in which NIST could improve the CUI series
- Features of the CUI series should be changed, added, or removed. Changes, additions, and removals can cover a broad range of topics, from consistency with other frameworks and standards to rescoping criteria for inclusion of requirements. For example: