NIST releases feedback summary on SP 800-171 revision 3 to enhance protection of CUI

The National Institute of Standards and Technology (NIST) released on Wednesday a summary of feedback on the final public draft of Special Publication (SP) 800-171, Revision 3, along with the initial public draft of SP 800-171A Revision 3. These documents focus on protecting the confidentiality of CUI (Controlled Unclassified Information) and recommend specific security requirements to achieve that objective.

The update to SP 800-171r3 includes changes made in response to the public comments received on the initial public draft (ipd). The number of public comments and individuals and organizations submitting comments decreased compared to those received in response to SP 800-171r3 (ipd). The majority of comments received during the public comment period that closed on Jan. 26, 2024, addressed the SP 800-171r3 (fpd) security requirements, though many comments were associated with more than one topic (e.g., comments addressed the use of organization-defined parameters and the discussion).

Following the resolution of comments, NIST aims to release SP 800-171r3 and SP 800-171Ar3 in the third quarter of fiscal year 2024 (Spring 2024). NIST will maintain ongoing communication with the CUI community to exchange information and gather feedback, ensuring that its suite of resources meets user needs and offers effective protection for CUI.

NIST will not introduce security requirements in SP 800-171 that cannot be sourced to SP 800-53. Commenters are welcome to use the NIST SP 800-53 Public Comment Website to provide feedback on improving the [SP 800-53] controls, and the agency will incorporate accepted SP 800-53 content into future revisions of SP 800-171. 

Following the publication of SP 800-171r3 and SP 800-171Ar3, NIST will begin revising SP 800-172 and SP 800-172A. Similar to the process for SP 800-171r3 (ipd), the enhanced security requirements will be issued first, followed by a concurrent release of the final public draft of the [SP 800-172] enhanced security requirements and the initial public draft of the [SP 800-172A] assessment procedures.

These changes include the elimination of the NFO control tailoring category, the introduction of a new tailoring category for controls that are addressed by other related controls (ORC), and the reduction of the number of organization-defined parameters (ODPs) achieved by removing ODPs that did not impact the security requirement. It also covers clarification of responsibility for assigning ODP values, consolidation of security requirements for better consistency with SP 800-53, refinement of discussion sections for better understanding and usability, and the addition of leading zeros to security requirements to support automated tool usage.

NIST disclosed that the use of ODPs and the term ‘periodically’ in the requirements received the most comments at 115. “Fewer than 8% of those comments suggested adding ODPs to the requirements. Six commenters suggested that NIST clarify the entity responsible for assigning ODP values and provided suggestions for potential entities to define ODPs, although these issues are explicitly addressed in the publication and FAQ.” 

Furthermore, there were over 70 comments on defining ODPs and the term ‘periodically’ in specific requirements as well as suggestions for values/ranges of values to use. Twenty-six comments recommended removing specific ODPs.

NIST made the design decision to have the SP 800-171 security requirement structure and content mirror the SP 800-53 source controls. Over 25 comments provided feedback that could benefit from first being applied to a future revision of SP 800-53 and then included in future revisions of SP 800-171. Many of the suggestions to the [SP 800-171] security requirements and discussion sections helped clarify scope and intent.

“NIST requests that commenters use the NIST SP 800-53 Public Comment Website to provide feedback on improving the [SP 800-53] controls,” the document said. “While the [SP 800-171] security requirements and discussion sections are designed to mirror the [SP 800-53] controls to the maximum extent possible, there are differences due to tailoring decisions for protecting the confidentiality of controlled unclassified information (CUI).”

The agency identified over 40 comments addressed tailoring decisions, including specific decisions for ORCs, the decision to tailor at the control item level, suggestions for tailoring in additional [SP 800-53] controls and control enhancements, and recommendations for further tailoring of [SP 800-171] requirements and discussion sections to better support the protection of CIU confidentiality.

NIST received fewer than 150 comments on SP 800-171Ar3 (ipd). Many commenters were not as familiar with the purpose, scope, and structure of the [SP 800-171A] assessment procedures or the source [SP 800-53A] assessment methodology and terminology. Approximately 25 comments requested clarification on specific terminology related to the assessment methodology and specific security requirement assessment procedures. 

Over 20 comments suggested the addition of specific assessment procedures for security requirements to further define portions of the source security requirement. Other comments identified errors, omissions, and opportunities for improving consistency and usability in the assessment procedures. 

The agency added that there were approximately 25 comments on the FAQ, CUI Overlay, and Analysis of Changes between [SP 800-171] Revision 2 and Revision 3 (fpd). Most of these comments identified minor errors and omissions in the CUI overlay tailoring decisions and analysis of changes.

NIST detailed that based on the initial adjudication of comments, some of the changes to SP 800-171, SP 800-171A, and the supplemental resources will include corrections for errors, omissions, and typos, better alignment and consistency with the source publications, SP 800-53 and SP 800-53A; and review of ODPs and use of the term ‘periodically’ to identify the best balance between requiring explicit definition of parameters and providing flexibility to implementers. 

It also included a review of all [SP 800-171] discussion sections to better tailor the guidance for protecting the confidentiality of CUI without adding specific examples. Additional background information about the source [SP 800-53A] assessment methodology and terminology. 

Changes to the [SP 800-171A] assessment procedures based on changes to the [SP 800-171] security requirements, updates to the FAQ to include additional information on the scope and applicability of SP 800-171 and SP 800-171A, history and evolution of the CUI security requirements and associated assessment procedures, and responsibility for defining ODPs.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.