NIST Finalizes Updated Guidelines for Protecting Sensitive Information

Posted May 16, 2024 by Philip Duplisey

Current regulatory mandates require DIB (defense industrial base) companies with DOD (Department of Defense) CUI (controlled unclassified information) to implement NIST 800-171 security requirements. Timeline estimates based on ongoing federal rule making may add additional requirements to include the potential for CMMC assessments and/or certifications this year. All DIB companies who manage controlled unclassified Information (CUI) should have fully implemented and be confidently meeting the underlying NIST 800-171 (r2) requirements, ahead of potential contractual CMMC requirements.

Contractors and organizations doing business with the federal government have complained about inconsistencies in how the standards were written which have now been addressed.

As we wait for the final rule making The National Institute of Standards and Technology (NIST) has finalized its updated guidelines for safeguarding controlled unclassified information (CUI). These updates are encapsulated in two key publications: Protecting Controlled Unclassified Information in Non-federal Systems and Organizations (NIST Special Publication [SP] 800-171, Revision 3), and its companion, Assessing Security Requirements for Controlled Unclassified Information (NIST SP 800-171A, Revision 3).

These guidelines mandate the protection of CUI, which includes valuable data like intellectual property and employee health information. Given that systems handling CUI often support critical government programs—such as weapons and communications systems—they are attractive targets for adversaries. Therefore, ensuring their security is paramount.

The revised publications build on NIST’s foundational documents of security and privacy controls (NIST SP 800-53) and assessment procedures (NIST SP 800-53A). Previously, discrepancies between these documents and the source catalogs led to ambiguity in security requirements. The new revisions aim to eliminate this confusion, streamlining NIST’s cybersecurity guidance portfolio.

“For the sake of our private sector customers, we want our guidance to be clear, unambiguous and tightly coupled with the catalog of controls and assessment procedures used by federal agencies,” said Ron Ross, one of the publications’ authors. This update is a significant step towards achieving that goal.

Last year, NIST released draft versions of these guidelines for public comment. In response, the updates now include safeguards in machine-readable formats like JSON and Excel, which are beneficial for cybersecurity tool developers and implementing organizations. These formats are available through NIST’s Cybersecurity and Privacy Reference Tool, facilitating easier reference and faster implementation.

To assist those already using Revision 2, NIST has provided an analysis of changes detailing how each requirement has evolved. The companion publication, SP 800-171A, includes a complete set of updated assessment procedures corresponding to the new security requirements, aiding users in evaluating their compliance.

In the coming months, NIST plans to revise additional publications related to protecting CUI associated with high-value assets and critical programs. Future updates will include NIST SP 800-172 (enhanced security requirements) and NIST SP 800-172A (enhanced security requirement assessments), continuing the effort to safeguard sensitive government data effectively.

Contact us today for an immediate response from a NIST 800-171 Expert