Analysis
Critical infrastructure
News
NIST
Regulation, Standards and Compliance

NIST charts proposed updates to SP 800-171 for covering controlled unclassified information

February 17, 2023
NIST charts proposed updates to SP 800-171 for covering controlled unclassified information

The National Institute of Standards and Technology (NIST) provided on Thursday a status update of its Special Publication (SP) 800-171, which provides a set of recommended security requirements for protecting the confidentiality of CUI (controlled unclassified information). The document works on protecting CUI in non-federal systems and organizations while providing federal agencies with a set of recommended security requirements for protecting the confidentiality of CUI. 

Last July, NIST announced its intention to update the series of special publications dedicated to the Protection of Controlled Unclassified Information. Many changes are actively under consideration reflecting the current thinking of NIST after extensive review and analyses of the public comments

Based on the feedback received, inputs from workshops and conferences, and discussions with federal agencies, the changes under consideration include streamlining the ‘Introduction’ and ‘Fundamentals’ sections of the document; withdrawing requirements that are either outdated, no longer relevant, or redundant with other requirements; reassigning some of the NFO controls to the CUI, NCO, or FED tailoring categories; and adding new requirements based on changes to the NIST moderate control baseline in SP 800-53B and the reassignment of selected NFO controls. 

Additionally, the revised version will change the wording of selected requirements to achieve greater clarity and consistency with the controls in SP 800-53. It will also combine requirements where appropriate for greater efficiency, add organizationally-defined parameters to selected requirements to achieve greater specificity of control requirements and update the discussion sections for individual requirements. 

NIST also added that SP 800-171 will update the supplemental information for individual requirements with additional technical references and mappings to SP 800-53, Revision 5 controls. 

It will also revise the structure of the References, Glossary, and Acronyms sections for greater clarity and ease of use. Additionally, it will revise the tailoring and mapping tables in ‘Appendix C’ and ‘Appendix D,’ respectively, for consistency with the changes in the Requirements section, and add a ‘CUI Overlay’ appendix using the controls from SP 800-53, Revision 5, and the tailored moderate baseline from SP 800-53B.

In November, NIST provided an analysis of public comments following the pre-draft call for comments in its CUI Series. The purpose of the July call was to solicit feedback from interested parties to improve NIST Special Publication (SP) 800-171, and its supporting publications SP 800-171A, SP 800-172, and SP 800-172A. 

During the 90-day public comment period, over 60 individuals and organizations submitted comments describing how they use the CUI series and provided feedback on potential updates for consistency with SP 800-53, Revision 5, and SP 800-53B. The comments also addressed implementation and usability issues and provided other suggestions to improve the publication.

Responding organizations largely included members of the defense industrial base use the CUI series to meet contractual and/or solicitation requirements for the Defense Federal Acquisition Regulation Supplement (DFARS) and to prepare for the Department of Defense (DOD) Cybersecurity Maturity Model Certification (CMMC). 

SP 800-171 provides a comprehensive set of requirements to protect CUI, and SP 800-171A provides procedures for the assessment of the CUI security requirement implementation. In many cases, organizations did not use the CUI series alone and referenced the relationships between the series and other NIST guidelines, as well as sector-specific and international cybersecurity standards and requirements (e.g., SP 800-53, NIST Risk Management Framework, Cybersecurity Framework, CMMC, FedRAMP, HiTRUST, ISO 27001, ISO 27002).

The comments refer to the benefit of a uniform set of security requirements to protect CUI and meet contractual and regulatory requirements. Some comments mentioned the use of the series as a source of cybersecurity requirements that support ‘good cyber hygiene’ and ‘best practices.’ 

The document also said that there have been challenges in using the CUI series, including implementation issues with specific CUI requirements, difficulties for non-technical and non-cybersecurity stakeholders, and the challenge of implementing multiple sets of requirements and controls, such as  SP 800-171, SP 800-53, and ISO 27001/27002. While out of scope for NIST, some of the comments addressed the applicable scope of the publication as well as the cost of implementation and compliance with different contractual and regulatory requirements. 

The November document said that an initial public draft of SP 800-171, Revision 3, is planned for late spring 2023. Based on the feedback from the pre-draft call for comments and ongoing NIST research efforts, the updates planned in the forthcoming draft include upgrading the security requirements for consistency and alignment with SP 800-53, Revision 5, and the SP 800-53B moderate-impact baseline, it added at the time. 

It also addresses developing a CUI overlay to better link the CUI security requirements to the SP 800-53 controls for stakeholder feedback. Lastly, it considers and proposes options on how best to address stakeholder feedback on the NFO control tailoring. 

NIST developed the SP 800-171 after it and the National Archives and Records Administration (NARA) objected to DFARS’ use of a selected subset of 800-53 controls and asserted the full moderate impact baseline required for the protection of CUI. 

There was broader stakeholder concern regarding implementation challenges for non-federal systems such as the SP 800-53 controls originally developed for federal systems. It assesses that some controls/elements of controls should not apply outside the US government (federal-centric); some controls are overly granular when applied to an ‘as-built’ contractor system; and many baseline controls are unnecessary for the protection of CUI.

The solution was to develop a separate NIST SP for the protection of CUI in nonfederal organizations. Based on FIPS 200 with control language from 800-53 to meet moderate impact level, using performance-based to apply to existing non-federal systems, while also eliminating federal-centric requirements and focusing on providing confidentiality protection for CUI.

In late January, NIST released a voluntary PNT Profile created by using the NIST Cybersecurity Framework, which can be used as part of a risk management program to help organizations manage risks to systems, networks, and assets that use PNT (Positioning, Navigation, and Timing) services. The PNT Profile provides a flexible framework for users of PNT to manage risks when forming and using PNT signals and data, which are susceptible to disruptions and manipulations that can be natural, manufactured, intentional, or unintentional.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
CISA declares winners of President’s Cup cybersecurity competition, with Artificially Intelligent team leading
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
Radiflow helps customers achieve NIS2 compliance, spurring growth in Europe
Radiflow, Exclusive Networks partner to elevate OT cybersecurity