The National Institute of Standards and Technology seeks feedback for Draft NIST Special Publication (SP) 800-171 Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and Draft NIST SP 800-171B, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets.
This new document offers additional recommendations for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations where that information runs a higher than usual risk of exposure, NIST said in a release. When CUI is part of a critical program or a high value asset (HVA), it can become a significant target for high-end, sophisticated adversaries. You only have to read the news to understand the proliferation of the advanced persistent threat (APT) by rogue states and cyber criminals. In recent years, these critical programs and HVAs have been subject to an ongoing barrage of serious cyberattacks, prompting the Department of Defense to request additional guidance from NIST to prevent the loss and exploitation of proprietary information that could impact national security.
The enhanced security requirements are to be implemented in addition to the basic and derived requirements in NIST SP 800-171, since the basic and derived requirements are not designed to address the APT. The enhanced security requirements apply only to components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components when the designated CUI is contained in a critical program or HVA. The enhanced security requirements are only applicable for a nonfederal system or organization when mandated by a federal agency in a contract, grant, or other agreement, NIST said.
All public comments received on Draft NIST SP 800-171B will be posted at https://csrc.nist.gov/projects/protecting-cui/public-comments both and https://www.regulations.gov/docket?D=NIST-2019-0002 (Regulations.gov docket no. NIST-2019-0002) without change or redaction, so commenters should not include information they do not wish to be posted (e.g., personal or business information).
The public comment period for both publications ends on July 19, 2019. Comments can also be submitted on a Department of Defense (DoD) cost estimate for implementing the enhanced security requirements of SP 800-171B. See the publication details links below for document files and instructions.
Draft NIST SP 800-171 Rev. 2 provides minor editorial changes in Chapters One and Two, and in the Glossary, Acronyms, and References appendices. There are no changes to the basic and derived security requirements in Chapter Three. For ease of use, the Discussion sections, previously located in Appendix F (SP 800-171 Rev. 1), have been relocated to Chapter Three to coincide with the basic and derived security requirements.
Publication details for SP 800-171 Rev. 2: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/draft
The DoD has completed a cost analysis to provide stakeholders insight into the estimated cost of implementing the enhanced security requirements in Draft NIST SP 800-171B. The cost analysis is available for review and comment at the publication details link below. Please submit any comments regarding the DoD cost analysis review by July 19, 2019 to www.regulations.gov/docket?D=DOD-2019-OS-0072 (Regulations.gov docket no. DOD-2019-OS-0072).
Publication details for Draft SP 800-171B (including the document, DoD Cost Estimate, and recommended comment template): https://csrc.nist.gov/publications/detail/sp/800-171b/draft
NOTE: A call for patent claims is included in both draft publications. For additional information, see the “Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications”: https://www.nist.gov/itl/information-technology-laboratory-itl-patent-policy-inclusion-patents-itl-publications.
Please send questions to email@example.com.