Information Security Management Systems

Implementations and Assessments for Compliance

(800) 644-2056

 

17.07.06

Controlled Unclassified Information (CUI) supports federal missions and business functions that affect the economic and national security interests of the United States. Non-federal organizations (e.g. colleges, universities, state, local and tribal governments, federal contractors and subcontractors) often process, store, or transmit CUI.

Executive Order 13556, as issued November 10, 2010, designated the National Archives and Records Administration (NARA) as the Executive Agent to implement the CUI program. NIST Special Publication 800-171 defines the security requirements for protecting CUI in non-federal information systems and organizations.

Security Requirements for Protecting the Confidentiality of CUI

NIST Special Publication 800-171 contains fourteen families of security requirements (including basic and derived requirements) 18 for protecting the confidentiality of CUI in nonfederal information systems and organizations.

The security controls from NIST Special Publication 800-53 associated with the basic and derived requirements are also listed in Appendix D. Organizations can use Special Publication 800-53 to obtain additional, non-prescriptive information related to the CUI security requirements (e.g., supplemental guidance related to each of the referenced security controls, mapping tables to ISO/ IEC 27001 ISMS, Annex A (security objective & controls), and a catalog of optional controls that can be used to help specify additional CUI requirements if needed).

The security requirements identified in 800-171 are intended to be applied to the non-federal organization’s general-purpose internal information systems that are processing, storing, or transmitting CUI. Some specialized systems such as medical devices, Computer Numerical Control (CNC) machines, or industrial control systems may have restrictions or limitations on the application of certain CUI requirements and may be granted waivers or exemptions from the requirements by the federal agency providing oversight.

•Chapter One: Introduction

•Chapter Two: The Fundamentals

•Chapter Three: The Requirements

•NIST 800-171-SECURITY FAMILIES

•Appendix A: References

•Appendix B: Glossary

•Appendix C: Acronyms

•Appendix D: Assessment Method Descriptions

•Appendix E: Penetration Testing

•Appendix F: Security Assessment Procedures

a.AC-FAMILY: ACCESS CONTROL

b.AT-FAMILY: AWARENESS AND TRAINING

c.AU-FAMILY: AUDIT AND ACCOUNTABILITY

d.CA-FAMILY: SECURITY ASSESSMENT AND AUTHORIZATION

e.CM-FAMILY: CONFIGURATION MANAGEMENT

f.CP-FAMILY: CONTINGENCY PLANNING

g.IA-FAMILY: IDENTIFICATION AND AUTHENTICATION

h.IR-FAMILY: INCIDENT RESPONSE

i.MA-FAMILY: MAINTENANCE

j.MP-FAMILY: MEDIA PROTECTION

k.PE-FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION

l.PL-FAMILY: PLANNING

m.PM-FAMILY: PROGRAM MANAGEMENT

n.PS-FAMILY: PERSONNEL SECURITY

o.RA-FAMILY: RISK ASSESSMENT

p.SA-FAMILY: SYSTEM AND SERVICES ACQUISITION

q.SC-FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION

r.SI-FAMILY: SYSTEM AND INFORMATION INTEGRITY

•Appendix G: Assessment Reports

•Appendix H: Assessment Cases

•Appendix I: Ongoing Assessment and Automation

•Appendix J: Privacy Assessment Procedures

 

17.07.06