The National Institute of Standards and Technology (NIST) has released Special Publication 800-171. The document covers the protection of Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations. The document was designed to provide guidance on ensuring that all systems that process, store, or transmit CUI information are secured and hardened. Compliance to the 800-171 standard is enforced by a set of technical policies. NIST SP800-171 outlines those policies. A deadline to comply or to report delays in compliance has been set for December 31, 2017.
Where did this requirement originate? Who is responsible for the program?
Executive Order 13556 (11/10/2010) designated the National Archives and Records Administration (NARA) as the Executive Agent to implement the CUI program, for which the Information Security Oversight Office (ISOO) of the National Archives and Records Administration is responsible. In April of 2013, ISSO issued a memorandum to government agency leads on the management of the CUI program. In September 2016, ISOO released notice 2016-01 outlining the implementation guidance for CUI, and a later notice 2017-01 was issued in June of 2017 with recommendations for implementation of the CUI program. Below are excerpts of that notice (2017-01).
A bit of background “The Information Security Oversight Office (ISOO) exercises Executive Agent responsibilities for the CUI Program. In consultation with the Office of Management and Budget and affected agencies, on September 14, 2016, ISOO issued CUI Notice 2016-01, 'Implementation Guidance for the Controlled Unclassified Information Program.' CUI Notice 2016-01 outlines the phased implementation deadlines for agencies and describes the significant elements of a CUI Program.” Program management "ISOO’s memorandum to the heads of executive departments and agencies, “Appointments of Senior Agency Official and Program Manager for the Controlled Unclassified Information (CUI) Program Implementation,” dated April 11, 2013, requested that agencies affirm or update their initial designations of their CUI Senior Agency Official (SAO) and also requested that they assign a CUI Program Manager (PM)."
Who is impacted by NIST 800-171?
Anyone (individual or business/contractor) who processes, stores, or transmits information (that falls into one of many CUI categories) for or with federal or state agencies is impacted. This includes all governmental contractual relationships. A list of categories of CUI information has been made available by NARA here.
What are the 800-171 requirements?
There are 14 categories of security requirements that must be met. Each category has a unique set of policy tests in which affected programs must meet.
- Access Control
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Physical Protection
- Personnel Security
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
For a complete list of policy tests included under each of the 14 categories, please refer to the NIST SP800-171 web page: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf To find out more about NIST SP 800-171 you can watch a recording of our recent webcast here. Or you can learn more about how Tripwire solutions can help you meet the requirements NIST 800-171 here.
