NIST Issues Updated Security Requirements and Assessment Procedures for Protecting Controlled Unclassified Information (CUI)
NIST has published the final versions of Special Publication (SP) 800-171r3 (Revision 3), Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and SP 800-171Ar3, Assessing Security Requirements for Controlled Unclassified Information.
Major updates to SP 800-171r3 include:
- Restructured security requirements to show direct alignment with SP 800-53r5 controls
- Introduction of organization-defined parameters (ODP)
- New tailoring criteria to reduce potential redundancy and improve clarity
- Recategorization of controls based on the new tailoring criteria
- Outcome-oriented guidance to reduce ambiguity and better support implementation
NIST is also issuing a CUI Overlay, an FAQ, and an analysis of changes between SP 800-171r2 and SP 800-171r3.
Major updates to SP 800-171Ar3 include:
- Modifications to achieve consistency with the SP 800-171r3 security requirements and source SP 800-53Ar3 assessment procedures
- Modifications to the assessment procedure structure and syntax
- Inclusion of ODPs to facilitate traceability and usability
- Guidance on conducting security requirement assessments
- A one-time “revision number” change for consistency and alignment with SP 800-171r3
The security requirements and assessment procedures have been issued concurrently through the Cybersecurity and Privacy Reference Tool (CPRT) to give users additional ways to access the datasets (i.e., via browser, download as spreadsheet, and JSON).
For more information about the NIST Protecting CUI Project and other resources, see: https://csrc.nist.gov/Projects/protecting-controlled-unclassified-information. Please direct questions and comments to sec-cert@nist.gov.
NIST Cybersecurity and Privacy Program
Questions/Comments about this notice: sec-cert@nist.gov
CSRC Website questions: csrc-inquiry@nist.gov
|
