SP 800–171 Guidelines for Sensitive Information Protection are revised by NIST
Credit: Acts/Shutterstock Data Stock
An effort to assist federal agencies and government contractors in more consistently implementing cybersecurity requirements, the National Institute of Standards and Technology ( NIST ) has updated its draft guidelines for safeguarding sensitive unclassified information.
The tens of thousands of companies that work with the federal government will be particularly interested in the updated draft guidelines, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations ( NIST Special Publication]SP] 800- 171 Revision3.
Refer to the SP 800- 171 security requirements for federal regulations governing the protection of controlled unclassified information ( CUI), which includes sensitive data like health information, information about critical energy infrastructure, and intellectual property.
Government programs containing important assets, such as the design requirements for space systems, communications networks, and weapons systems are frequently supported by systems that storeCUI.
The modifications are meant to aid these companies in better comprehending how to put the specific cybersecurity safeguards described in SP 800-53 Rev., a closely related NIST publication. 5.
To make it easier for businesses to use SP 800-53’s list of technical tools, or” controls,” to achieve the cybersecurity outcomes of SP 800-171, the authors have unified the language of the two publications.  ,
The update, according to Ron Ross of NIST, is intended to support ongoing defenses against serious threats to information security.  ,
Threats to CUI, which has recently been the target of state-level espionage, are specifically addressed by many of the recently added requirements.
The threat space is constantly changing, so we need to implement and maintain state-of-the-practice defenses, according to Ross, a NIST Fellow and one of the publication’s authors. ” We made an effort to convey those requirements in a way that demonstrates our work in federal cybersecurity to contractors.” Now that there is less ambiguity and more useful detail,
By July 14, 2023, NIST wants feedback from the general public on the draft guidelines.
The draft has undergone notable changes, including  ,
- modifications made to take cybersecurity controls into account,
- NIST’s revised standards for creating security requirements,
- increased security requirement specificity and alignment in SP 800–171 Rev. 3 with a SP 800-53 Rev. 5, to support evaluation and implementation, and
- additional tools to aid implementers in comprehending and evaluating the suggested updates.  ,
Ross stated that the modifications ‘ ultimate objective was to improve the requirements while streamlining the NIST cybersecurity publication ecosystem.  ,
The ability of the country to innovate depends on protecting CUI, including intellectual property, which has significant ramifications for both our national and economic security, according to him. ” We require safeguards that are strong enough to carry out the job,” 
Additionally, NIST plans to release at least one more SP 800- 171 Rev draft. 3 prior to the early 2024 publication of the final. The authors intend to update the supporting NIST publications on safeguarding controlled unclassified information, including SPs 800- 171A ( security requirement assessment ), SP 800– 172 ( enhanced security requirements ), and SP-800-172A, after the final version is published.  ,
To discuss the modifications made to SP 800- 171, NIST is organizing a webinar for June 6, 2023. Next week, the Protecting CUI project site will post the registration information.
A Note on progress…NIST’s Digital Identity GuidelineWhat is Controlled Unclassified Information (CUI)?
DFARS and CMMC Compliance for Defense Contractors
(Opens in a new browser tab)Celebrating Cybersecurity Awareness Month with NIST and our blog series for cybersecurity awareness month 2023
(Opens in a new browser tab)NIST identifies the types of cyberattacks that affect AI systems ‘ behavior.