The National Institute of Standards and Technology (NIST) on Nov. 9 released new draft guidance of revised cybersecurity requirements for protecting sensitive unclassified information housed by non-Federal systems and organizations including government contractors.
The new draft guidance is the third iteration of NIST special publication 800-171, which outlines standards and practices for protecting controlled unclassified information – government-owned or created data that is not classified but still requires security controls.
According to NIST, protecting controlled unclassified information housed in non-Federal systems and organizations is “of paramount importance to Federal agencies and can directly impact the ability of the Federal Government to successfully conduct its essential missions and functions.”
The release of the revised guidance comes after NIST solicited public feedback on a previous draft version of its proposed updates to 800-171 earlier this year.
“This update to NIST SP 800-171 represents over one year of data collection, technical analyses, customer interaction, redesign, and development of the security requirements and supporting information for the protection of controlled unclassified information,” NIST said.
The new updates came in response to comments from that previous draft, including combining security requirements with other requirements “for consistency and ease of use” and eliminating the control tailoring category for non-Federal organizations.
“Many trade-offs have been made to ensure that the technical and non-technical requirements have been stated clearly and concisely while also recognizing the specific needs of both Federal and non-Federal organizations,” NIST said.
The updates provide Federal agencies with recommended security requirements for protecting the confidentiality of controlled unclassified information when the information is resident in non-Federal systems and organizations.
Specifically, the updates include a draft of the security requirements and assessment procedures for evaluating threats to sensitive unclassified information. In this latest iteration, NIST continued to refine the security requirements to reduce the number of organization-defined parameters, reevaluate the tailoring categories and tailoring decisions, and restructure and streamline the discussion sections.
The revised cybersecurity requirements apply to components of non-Federal systems that process, store, or transmit CUI or that provide protection for such components. The security requirements are intended for use by Federal agencies in contractual vehicles or other agreements established between those agencies and non-Federal organizations.
NIST said a public comment period for both draft publications will be open until Jan. 12, 2024, and the agency is planning to publish its final rule in early 2024.