On July 19, 2022, the National Institute of Standards and Technology (NIST) released a Pre-Draft Call for Comments, seeking feedback on improving its Controlled Unclassified Information (CUI) series of publications. The comment period currently is open and scheduled to close on September 16, 2022.
The CUI series at issue focuses on protecting the confidentiality of CUI, including specific security controls to achieve that objective. These publications currently form the basis for contractor security requirements under Department of Defense (DoD) regulations and the Cybersecurity Maturity Model Certification (CMMC) program (discussed previously here). The CUI publications also are expected to become requirements under civilian agency contracts in the near future. Thus, this call for comments likely will lead to updated security requirements impacting nearly all government contractors.
NIST plans to update the CUI series, beginning with Revision 3 of NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The CUI series also includes:
- NIST SP 800-171A Assessing Security Requirements for CUI,
- NIST SP 800-172 Enhanced Security Requirements for Protecting CUI, and
- NIST SP 800-172A Assessing Enhanced Security Requirements for CUI.
Since the initial publication of NIST SP 800-171 in June 2015, there have been substantial changes in the cybersecurity environment that impact the protection of CUI - including new threats, vulnerabilities, capabilities, and technologies. Given these changes, NIST specifically is seeking input from organizations that already have implemented the CUI series, specifically feedback on the following topics:
- Use of the CUI series:Including how the CUI series currently is being used, how the CUI series interacts with other frameworks and standards, and how to improve alignment between the CUI series and other frameworks;
- Updates for consistency with NIST SP 800-53 Revision 5 and NIST SP 800-53B:Including the impact on usability if the CUI series were to be updated for consistency with these guidelines;
- Updates to improve usability and implementation: Including features of the CUI series that should be changed, added, or removed; and
- Other relevant topics in the development of the revised NIST SP 800-171 and its supporting publications.
With the comment period closing on September 16, 2022, it is crucial for organizations that have experience with the current CUI series to share their recommendations and help improve future revisions to this series. Comments can be emailed to 800-171comments@list.nist.gov, and contractors will be able to review all submitted comments on the Protecting CUI project site after September 16.
* Lillia Damalouji is licensed in Maryland, pending admission in Washington, D.C., working under the supervision of a D.C. Bar Member.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.