NIST releases revised cyber requirements for controlled unclassified information

da-kuk/Getty Images

The proposed revisions will ideally serve as a “balanced, strong starting point” for agencies and contractors that deal with sensitive information, a NIST official said.

The National Institute of Standards and Technology on Thursday released draft guidance for protecting sensitive unclassified information, outlining revised cybersecurity steps for federal agencies and government contractors to take when it comes to safeguarding government data.

The proposed guidelines are the third iteration of NIST’s standards and practices for protecting controlled unclassified information — or CUI — which refers to government-owned or created data that is not classified but still requires security controls. 

The updates to NIST special publication 800-171 that were released on Thursday include drafts of both the security requirements and assessment procedures for evaluating threats to CUI. A public comment period for both draft publications will be open until Jan. 12, 2024, and the agency is planning to publish its final rule some time in early 2024.

NIST noted in its final public draft that “the requirements apply to components of nonfederal systems that process, store or transmit CUI or that provide protection for such components.”

The release of the revised guidance comes after NIST solicited public feedback on a previous draft version of its proposed updates to 800-171 earlier this year.   

During an industry summit hosted by Washington Technology on Wednesday, Victoria Yan Pillitteri — the manager of NIST’s security engineering and risk management group — teased the release of the updated guidance and said the agency has “tried our best to address the comments, questions, concerns that you all brought up to us during the public comment period.”

NIST said that public feedback in response to the initial draft resulted in some significant changes to the latest iteration of 800-171, including, in part, combining security requirements with other requirements “for consistency and ease of use” and eliminating the control tailoring category for non-federal organizations. 

“Our end goal is to develop those universal standards and guidelines that are a kind of balanced, strong starting point,” Pillitteri said, adding that the agency recognizes that companies will “have to take this starting point and tailor it and make it work for your organization.”

The latest release of NIST’s proposed revisions to 800-171 comes as the Defense Department continues to finalize enhanced cyber requirements for the defense industrial base, known as the Cybersecurity Maturity Model Certification. The certification program requires defense firms to be in compliance with NIST’s standards for safeguarding CUI.