Credit: Shutterstock/ACTS DATA STOCK
The National Institute of Standards and Technology (NIST) has updated its draft guidelines for protecting classified unclassified information in an effort to help federal agencies and government contractors more consistently implement cybersecurity requirements.
Revised Draft Guideline, Protection of controlled unclassified information in non-federal systems and organizations (NIST Special Publication [SP] 800-171 Revision 3), will be of particular interest to the thousands of businesses that contract with the federal government. Federal rules governing the protection of controlled unclassified information (CUI), which includes sensitive data such as health information, critical energy infrastructure information, and intellectual property, refer to SP 800-171 security requirements. Systems that host CUI often support government programs that contain critical assets such as design specifications for weapons systems, communications systems, and space systems.
The changes are intended, in part, to help these enterprises better understand how to implement specific cybersecurity safeguards set forth in a closely related NIST publication, SP 800-53 Rev. 5:00 The authors have aligned the language of the two publications so that businesses can more easily apply SP 800-53’s catalog of technical tools, or “controls,” to achieve the cybersecurity outcomes of SP 800-171.
According to Ron Ross, head of NIST, the update is designed to maintain consistent protection against high-level information security threats.
“Many of the newly added requirements specifically address threats to CUI, which has recently been the target of state-level espionage. We want to implement and maintain best-practice protections as the threat landscape is constantly changing,” said Ross, a NIST fellow and co-author of the publication. “We’ve tried to articulate those requirements in a way that shows contractors what we do and why in federal cybersecurity. Now there are more useful details with less ambiguity.”
NIST is requesting public comments on the draft guidelines until July 14, 2023.
Notable updates in the design include:
- Changes to reflect applied cybersecurity controls;
- Revised standards used by NIST to develop security requirements;
- SP 800-171 Rev. 3. Increasing the specificity and conformance of the safety requirements of SP 800-53 Rev. with 5 to assist with implementation and evaluation; and:
- Additional resources to help implementers understand and analyze proposed updates.
Ross said the ultimate goal of the changes was to simplify NIST’s ecosystem of cybersecurity publications while providing better requirements.
“Protecting CUI, including intellectual property, is critical to the nation’s ability to innovate, with far-reaching implications for our national and economic security,” he said. “We need to have safeguards that are strong enough to do the job.”
NIST also expects to issue SP 800-171 Rev. At least one more draft version of 3 before the final release in early 2024. After publication of the final version, the authors plan to revise the set of NIST publications supporting the protection of controlled unclassified information. , including SPs 800-171A (Evaluation of Security Requirements), SP 800-172 (Enhanced Security Requirements), and SP 800-172A (Evaluation of Enhanced Security Requirements).
NIST is planning a webinar on June 6, 2023 to present the changes to SP 800-171. Registration information will be posted on the Protecting CUI project website next week.