Contractors and other organizations that do business with the federal government now have clearer, more straightforward guidance for protecting the sensitive data they handle. 

The National Institute of Standards and Technology (NIST) has finalized its updated guidelines for protecting this data, known as controlled unclassified information (CUI), in two publications: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST Special Publication [SP] 800-171, Revision 3), and its companion, Assessing Security Requirements for Controlled Unclassified Information (NIST SP 800-171A, Revision 3). 

These guidelines require organizations to safeguard CUI such as intellectual property and employee health information. Systems that process, store and transmit CUI often support government programs involving critical assets, such as weapons systems and communications systems, which are potential targets for adversaries. 

The two publications draw on NIST’s source catalog of security and privacy controls (NIST SP 800-53) and assessment procedures (NIST SP 800-53A). Before this update, the wording of these documents did not match the language of the source catalogs, potentially creating ambiguity in the security requirements and uncertainty in security requirement assessments. The update is designed to address these issues and also streamline and harmonize NIST’s portfolio of cybersecurity guidance.

“For the sake of our private sector customers, we want our guidance to be clear, unambiguous and tightly coupled with the catalog of controls and assessment procedures used by federal agencies,” said NIST’s Ron Ross, one of the publications’ authors. “This update is a significant step toward that goal.”

NIST released draft versions of the guidelines for public comment last year. Ross said that the update acknowledges the community’s interest in making the safeguards available in machine-readable formats, such as JSON and Excel, which would benefit cybersecurity tool developers and implementing organizations. These alternate formats are now available through NIST’s Cybersecurity and Privacy Reference Tool. 

“Toolmakers often want to import relevant sections of the guidance directly into an electronic form for easier reference and use,” he said. “Providing the guidance in these additional formats will allow them to do that. It will help a wider group of users to understand the requirements and implement them more quickly and efficiently.”

Additionally, to assist implementers already using Revision 2, NIST has issued an analysis of changes that details how each requirement has evolved. 

The companion publication, SP 800-171A, is designed to help users assess the security requirements in SP 800-171 to determine if the requirements have been met. The publication includes a complete set of updated assessment procedures that correspond to the changes to the security requirements as well as new material to illustrate how to conduct security requirement assessments.

In the coming months, NIST plans to revise other supporting publications on protecting CUI associated with high-value assets and critical programs. These forthcoming updates will include NIST SP 800-172 (enhanced security requirements) and NIST SP 800-172A (enhanced security requirement assessments). 

Read more about the release at the NIST Computer Security Resource Center.