NIST SP 800-171r3 final draft released for protecting CUI in nonfederal systems, organizations; feedback invited

The National Institute of Standards and Technology (NIST) has recently released the final public draft of its Special Publication (SP) 800-171, Revision 3. This publication aims to provide federal agencies with recommended security requirements for safeguarding the confidentiality of Controlled Unclassified Information (CUI) when it is stored in nonfederal systems and organizations. The SP 800-171r3 specifically addresses situations where there are no specific safeguarding requirements outlined by the authorizing law, regulation, or government-wide policy for the particular CUI category listed in the CUI registry. 

Additionally, requirements of the SP 800-171r3 do not apply to non-federal organizations that are collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency.

The publication of the NIST SP 800-171r3 draft document represents over one year of data collection, technical analyses, customer interaction, redesign, and development of the security requirements and supporting information for the protection of CUI. Many trade-offs have been made to ensure that the technical and non-technical requirements have been stated clearly and concisely while recognizing the specific needs of federal and nonfederal organizations.

​​Titled ‘Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,’ the agency has called for inputs on the NIST SP 800-171r3 fpd by Jan. 12, 2024. Reviewers are encouraged to comment on all or parts of draft NIST SP 800-171r3, and the agency is specifically interested in comments, feedback, and recommendations for re-categorized controls, new tailoring criterion, inclusion of organization-defined parameters (ODP), new or revised requirements, and prototype CUI overlay. 

ODPs are included in some requirements and they provide flexibility through the use of assignment and selection operations to allow federal agencies and nonfederal organizations to specify values for the designated parameters in the requirements. Assignment and selection operations provide the capability to customize the security requirements based on specific protection needs. The determination of organization-defined parameter values can be guided and informed by laws, Executive Orders, directives, regulations, policies, standards, guidance, or mission and business needs. Once specified, the values for the organization-defined parameters become part of the requirement.

The document outlines that the protection of CUI residents in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government. It provides federal agencies with recommended security requirements for protecting the confidentiality of CUI when the information is resident in nonfederal systems and organizations. 

The requirements apply to components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components. The security requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations. 

“Appropriately scoping requirements is an important factor in determining protection-related investment decisions and managing security risks for nonfederal organizations. If nonfederal organizations designate specific system components for the processing, storage, or transmission of CUI, those organizations may limit the scope of the security requirements by isolating the designated system components in a separate CUI security domain. Isolation can be achieved by applying architectural and design concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices and using information flow control mechanisms).” 

Additionally, security domains may employ physical separation, logical separation, or a combination of both. “This approach can provide adequate security for CUI and avoid increasing the organization’s security posture beyond what it requires for protecting its missions, operations, and assets.”

The security requirements in previous versions of NIST SP 800-171 were stated at a high level of abstraction and left detailed specifications to the implementers and the assessors. While certain organizations viewed this lack of specificity favorably, others stated that it made the solution space too broad and left the requirements open to interpretation and subjective in their application. The lack of specificity also made assessments more difficult since assessors had different expectations and interpretations of whether organizations satisfied the requirements. The increased specificity in Revision 3 continues to allow for flexibility in implementation but also aligns security requirement language to the control language in NIST SP 800-53.

The draft NIST SP 800-171r3 lays down assumptions and methodology used to develop the security requirements for protecting the confidentiality of CUI, the format of the requirements, and the tailoring criteria applied to the NIST standards and guidelines to obtain the requirements. 

The security requirements are based on federal information designated as CUI has the same value, whether such information resides in a federal or a nonfederal system or organization; and statutory and regulatory requirements for the protection of CUI are consistent in federal and nonfederal systems and organizations. It also includes safeguards implemented to protect CUI that are consistent in federal and nonfederal systems and organizations. The confidentiality impact value for CUI is no less than moderate, and nonfederal organizations can directly implement a variety of potential security solutions or use external service providers to satisfy security requirements.

Starting with the NIST SP 800-53 controls in the NIST SP 800-53B [12] moderate baseline, the controls are tailored to eliminate selected controls or parts of controls that are primarily the responsibility of the federal government; not directly related to protecting the confidentiality of CUI; adequately addressed by other related controls; or are simply not applicable. 

“The NIST SP 800-171 security requirements represent a subset of the controls that are necessary to protect the confidentiality of CUI,” the document said. “The security requirements are organized into 17 families. Each family contains the requirements related to the general security topic of the family. Certain families from NIST SP 800-53 are not included due to the aforementioned tailoring criteria,” it added. 

The draft NIST SP 800-171r3 describes 17 families of security requirements for protecting the confidentiality of CUI in nonfederal systems and organizations. “When used in the context of the requirements in Section 3, the term system is narrowed to only include nonfederal systems or system components that process, store, or transmit CUI or that provide protection for such systems or components. Not all security requirements mention CUI explicitly.” 

However, the requirements are included because they directly affect the protection of CUI during processing, while in storage, and transmission between different locations. Some systems, including specialized systems (e.g., industrial/process control systems, medical devices, computer numerical control machines), may have limitations on the application of certain security requirements, the agency detailed.

In September, NIST published the third revision of NIST SP 800-82, with updates focusing on the expansion in scope from industrial control systems (ICS) to operational technology (OT); updates to OT threats and vulnerabilities; and updates to OT risk management, recommended practices, and architectures. The NIST SP 800-82r3 document provides OT asset owners and operators with updates to current activities in OT security; and updates to security capabilities and tools for OT.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.