NIST Finalizes Guidelines for Protecting Controlled Unclassified Information (CUI)

In May, the National Institute of Standards and Technology (NIST) issued the final version of Special Publication SP 800-171 (SP 800-171 Rev. 3) Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations.

The agency issued the draft for public comments last September with comments collected through January 2024.  The final version added new cybersecurity requirements, reduced existing controls by 14% and realigned security requirements more specifically to assessment procedures making it easier for federal organizations and government contractors to follow.

The updated standard added Planning, System and Service Acquisition, and Supply Chain Risk Management categories to the existing 14 requirements for Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment and Monitoring, System Communication Protection, and System and Information Integrity. These 17 requirements are mapped to more than 1,000 compliance evaluation controls/procedures provided under NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations for Federal Systems Revision 5, based on the NIST Cybersecurity Framework and Risk Management Framework. 

Overall, SP 800-171 Revision 3 withdrew 33 security requirements, added 19 new cybersecurity requirements for non-federal systems and made 97 security requirement changes, 46 of which were significant. The standard also added 49 new Organization-Defined Parameters (ODPs) that correlate more closely with NIST SP 800-53. Major changes include:

• Streamlined introductory information to improve clarity and customer understanding
• Eliminated the distinction between basic and derived security requirements
• Updated security requirements and families to reflect changes in the SP 800-53r5 control catalog, SP 800-53B moderate control baseline, and tailoring criteria
• Increased the specificity of security requirements to remove ambiguity, improve the effectiveness of implementation, and clarify the scope of assessments
• Eliminated the Non-Federal Organization (NFO) control tailoring category
• Introduced a new control tailoring category for controls that are addressed by Other Related Controls (ORC)
• Introduced ODP in select security requirements to increase flexibility and to help organizations better manage risk
• Clarified the responsibility for assigning ODP values
• Removed outdated and redundant security requirements
• Combined security requirements (or parts of requirements) with other requirements for consistency and ease of use
• Added security requirements due to control categorization changes
• Sequenced the content in the discussion sections to align with the individual parts of the requirements
• Modified the tailoring categories of selected controls and control items (subparts of controls)
• Updated tailoring and mapping tables and developed transition mapping tables that outline changes between Revision 2 and Revision 3
• Added an Appendix to consolidate ODPs in a single location for easy reference Developed a CUI overlay that is available as a separate document on the NIST publication details website with SP 800-171r3
• Included hyperlinks to the NIST Cybersecurity and Privacy Reference Tool (CPRT).

Significant cybersecurity-related requirements address the following.

• Enhanced cryptography requirements
• Multi-Factor Authentication (MFA)
• Supply Chain Risk Management
• Software Usage Policies
• Documentation and location of information.

Background:

NIST issued SP 800-53 in February 2005 to provide standard security and privacy controls for protecting federal information systems and organizations. The agency released SP 800-171 ten years later under the Defense Federal Acquisition Regulation (DFAR) 252.204-7012 setting the compliance standard for non-federal systems that process, store or transmit CUI or provide protection for such components.

At the time, SP 800-171 included 14 security Control Families mapped to NIST SP 800-53 but did not cover potential advanced persistent threats (APT) for CUI associated with a critical program or high-value asset. To address the gap, NIST issued (SP) 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST SP 800-171 adding 182 assessment procedures for APTs.

NIST updated the guidelines and procedures multiple times over the ensuing nine years in response to increasing and ever-changing cyber threats.

The latest revision to SP 800-53  (SP 800-53 Rev. 5), added controls for increased cyber-related activity related to identity providers, authorization servers, protection of cryptographic keys, verification of identity assertions and access tokens and token management.  The update withdrew 90 controls, removed the word “Federal” to indicate the regulations apply to all organizations and de-emphasized the federal focus to encourage non-federal organization usage. Still, the catalog contains more than 1,000 controls, many of which are ambiguous and difficult to understand, complete and implement.

The second revision to SP 800-171, NIST SP 800-171 Revision 2 made only minor editorial revisions and categorized the security requirements as basic and derived. Due to the release of the Cybersecurity Maturity Model Certification (CMMC), Revision 2 also removed the self-attestation option for organizations regarding their compliance.

This brings us to the current publication, SP 800-171 Rev. 3. The final version adds requirements for Planning, System and Service Acquisition and Supply Chain Risk Management to the 14 Control Families and renamed Security Assessment to Security Assessment and Monitoring.  The improved alignment of the security controls to SP 800-53, added ODPs and tailoring criteria allow contractors to adapt the procedure to meet their organizational missions, processes and risk management requirements. Taking it a step further, NIST also issued a companion publication SP 800-171Ar3 providing a crosswalk between SP 800-53 and SP 800-171r3 to assist users in determining whether they have met the requirements.

Contractor Implications

To allow contractors and organizations time to transition to the new version, the Department of Defense (DoD) issued Class Deviation 2024-O0013 —Safeguarding Covered Defense Information and Cyber Incident Reporting advising contractors to continue using NIST SP 800-171 Revision 2 with upcoming plans to update the CMMC. This will ensure contractors maintain adequate security measures to protect sensitive DoD information until the transition is complete.

Moving forward, non-compliance with SP 800-171 is not an option for contractors looking to compete for federal contracts. With upcoming updates on SP 800-172 and the Cybersecurity Maturity Model Certification (CMMC) on the horizon and rapidly evolving artificial intelligence guidance, firms must ensure their organizational cybersecurity policies and procedures remain in tune with the NIST standards. 

SP -800-171 Rev. 3 at a Glance