NIST releases finalized security guidelines for controlled unclassified information in SP 800-171r3, SP 800-171Ar3
The U.S. National Institute of Standards and Technology (NIST) has released the final versions of Special Publication (SP) 800-171r3 (Revision 3) and SP 800-171Ar3 covering updated security requirements and assessment procedures for protecting controlled unclassified information (CUI). SP 800-171r3 aims to provide clearer guidance, reduce ambiguity, and enhance implementation support. These security requirements and assessment procedures are now available through the Cybersecurity and Privacy Reference Tool (CPRT), offering users various access methods like browsing, downloading as a spreadsheet, and JSON format.
Key updates in SP 800-171r3 include aligning security requirements with SP 800-53r5 controls, introducing organization-defined parameters (ODP), new tailoring criteria for clarity and efficiency, and controls recategorization based on the updated tailoring criteria.
The CUI regulation requires federal agencies that use federal information systems, including operational technology (OT), information technology (IT), Internet of Things (IoT) devices, industrial IoT (IIoT) devices, specialized systems, cyber-physical systems, embedded systems, and sensors to process, store, or transmit CUI to comply with NIST standards and guidelines. The responsibility of federal agencies to protect CUI does not change when such information is shared with non-federal organizations. Therefore, a similar level of protection is needed when CUI is processed, stored, or transmitted by nonfederal organizations using nonfederal systems.
Similarly, SP 800-171Ar3 includes updates for consistency with the corresponding SP 800-171r3 security requirements and the source SP 800-53Ar3 assessment procedures, including modifications to the assessment procedure structure and syntax; and inclusion of ODPs to facilitate traceability and usability.
In response to the feedback received during the public comment period, additional guidance on conducting security requirement assessments was also included, and a one-time ‘revision number’ change was made for consistency and alignment with SP 800-171r3.
The security requirements are only applicable to components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components. They are based on a couple of assumptions, including federal information designated as CUI has the same value, whether such information resides in a federal or nonfederal system or organization; statutory and regulatory requirements for the protection of CUI are consistent in federal and nonfederal systems and organizations; and safeguards implemented to protect CUI are consistent in federal and nonfederal systems and organizations.
These requirements are intended for use by federal agencies in contractual vehicles or other agreements that are established between those agencies and non-federal organizations. Appropriately scoping requirements is an important factor in determining protection-related investment decisions and managing security risks for non-federal organizations.
Furthermore, if non-federal organizations designate system components for the processing, storage, or transmission of CUI, those organizations may limit the scope of the security requirements by isolating the system components in a separate security domain. Isolation can be achieved by applying architectural and design concepts. Security domains may employ physical separation, logical separation, or a combination of both. This approach can provide adequate security for CUI and avoid increasing the organization’s security posture beyond what it requires for protecting its missions, operations, and assets.
Additionally, the confidentiality impact value for CUI is no less than moderate; non-federal organizations can directly implement a variety of potential security solutions or use external service providers to satisfy security requirements.
ODPs are included in certain security requirements. ODPs provide flexibility through the use of assignment and selection operations to allow federal agencies and non-federal organizations to specify values for the designated parameters in the requirements. Assignment and selection operations provide the capability to customize the security requirements based on specific protection needs.
Additionally, the determination of ODP values can be guided and informed by laws, executive orders, directives, regulations, policies, standards, guidance, or mission and business needs. Once specified, the values for the ODPs become part of the requirement.
These measures are an important part of a security requirement specification. ODPs provide both the flexibility and specificity needed by organizations to clearly define their CUI security requirements, given the diverse nature of their missions, business functions, operational environments, and risk tolerance.
In addition, ODPs support consistent security assessments in determining whether specified security requirements have been satisfied. If a federal agency or a consortium of agencies do not specify a particular value or range of values for an ODP, nonfederal organizations must assign the value or values to complete the security requirement.
Starting with the SP 800-53 controls in the SP 800-53B moderate baseline, the controls are tailored to eliminate selected controls or parts of controls that are primarily the responsibility of the Federal Government, not directly related to protecting the confidentiality of CUI, adequately addressed by other related controls, or not applicable.
SP 800-171 security requirements represent a subset of the controls that are necessary to protect the confidentiality of CUI. The security requirements are organized into 17 families, with each family containing the requirements related to the general security topic of the family. Certain families from SP 800-53 are not included due to the tailoring criteria.
The security requirement families include access control; maintenance; security assessment and monitoring; awareness and training; media protection; system and communications protection; audit and accountability; personnel security; system and information integrity; configuration management; physical protection; planning; identification and authentication; risk assessment; system and services acquisition; incident response; and supply chain risk management
For example, the PII Processing and Transparency (PT) family is not included because personally identifiable information (PII) is a category of CUI, and therefore, no additional requirements are specified for confidentiality protection. The Program Management (PM) line is not included because it is not associated with any control baseline. Finally, the Contingency Planning (CP) family is not included because it addresses availability.
NIST plans to release additional resources through the Online Informative References (OLIR), including crosswalks between SP 800-171r3 and SP 800-53r5, and the Cybersecurity Framework 2.0.
Last November, NIST released the final public draft of its SP 800-171r3 publication that aims to provide federal agencies with recommended security requirements for safeguarding the confidentiality of CUI when it is stored in nonfederal systems and organizations. The SP 800-171r3 addresses situations where there are no specific safeguarding requirements outlined by the authorizing law, regulation, or government-wide policy for the particular CUI category listed in the CUI registry.
Related
