On May 10, 2023, the National Institute of Standards and Technology (“NIST”) released an Initial Public Draft of Revision 3 to NIST Special Publication (“SP”) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Although still in draft form, the document provides important guidance to federal government contractors and other companies that must use NIST SP 800-171 as a baseline for cybersecurity compliance. The draft Revision 3 was informed by public comments received by NIST, and NIST is seeking additional public comment on this revision.
Background
NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems. SP 800-171 is used as a baseline of security requirements for protection of controlled unclassified information (“CUI”)—sensitive information that requires certain confidentiality, access, or dissemination controls—when that information resides outside of federal government systems (i.e., on contractor systems). The requirements apply to those components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components, and only where no other applicable law, regulation, or policy prescribes different or more specific safeguarding requirements. The NIST SP 800-171 requirements are imposed via contractual vehicles or other agreements established between federal agencies and nonfederal organizations. Outside of government agreements, commercial parties also may require or rely upon the requirements of NIST SP 800-171 as a cybersecurity compliance standard.
The requirements of SP 800-171 are derived from Federal Information Processing Standards (“FIPS”) 199, Standards for Security Categorization of Federal Information and Information Systems; FIPS 200, Minimum Security Requirement ..
Support the originator by clicking the read the rest link below.
