Information Security Management Systems
Implementations and Assessments for Compliance
(800) 644-2056
17.07.06
Controlled Unclassified Information (CUI) supports federal missions and business functions that affect the economic and national security interests of the United States. Non-federal organizations (e.g. colleges, universities, state, local and tribal governments, federal contractors and subcontractors) often process, store, or transmit CUI.
Executive Order 13556, as issued November 10, 2010, designated the National Archives and Records Administration (NARA) as the Executive Agent to implement the CUI program. NIST Special Publication 800-171 defines the security requirements for protecting CUI in non-federal information systems and organizations.
Security Requirements for Protecting the Confidentiality of CUI
NIST Special Publication 800-171 contains fourteen families of security requirements (including basic and derived requirements) 18 for protecting the confidentiality of CUI in nonfederal information systems and organizations.
The security controls from NIST Special Publication 800-53 associated with the basic and derived requirements are also listed in Appendix D. Organizations can use Special Publication 800-53 to obtain additional, non-prescriptive information related to the CUI security requirements (e.g., supplemental guidance related to each of the referenced security controls, mapping tables to ISO/ IEC 27001 ISMS, Annex A (security objective & controls), and a catalog of optional controls that can be used to help specify additional CUI requirements if needed).
The security requirements identified in 800-171 are intended to be applied to the non-federal organization’s general-purpose internal information systems that are processing, storing, or transmitting CUI. Some specialized systems such as medical devices, Computer Numerical Control (CNC) machines, or industrial control systems may have restrictions or limitations on the application of certain CUI requirements and may be granted waivers or exemptions from the requirements by the federal agency providing oversight.
•Chapter Two: The Fundamentals
•Chapter Three: The Requirements
•NIST 800-171-SECURITY FAMILIES
•Appendix D: Assessment Method Descriptions
•Appendix E: Penetration Testing
•Appendix F: Security Assessment Procedures
b.AT-FAMILY: AWARENESS AND TRAINING
c.AU-FAMILY: AUDIT AND ACCOUNTABILITY
d.CA-FAMILY: SECURITY ASSESSMENT AND AUTHORIZATION
e.CM-FAMILY: CONFIGURATION MANAGEMENT
f.CP-FAMILY: CONTINGENCY PLANNING
g.IA-FAMILY: IDENTIFICATION AND AUTHENTICATION
h.IR-FAMILY: INCIDENT RESPONSE
k.PE-FAMILY: PHYSICAL AND ENVIRONMENTAL PROTECTION
m.PM-FAMILY: PROGRAM MANAGEMENT
n.PS-FAMILY: PERSONNEL SECURITY
p.SA-FAMILY: SYSTEM AND SERVICES ACQUISITION
q.SC-FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION
r.SI-FAMILY: SYSTEM AND INFORMATION INTEGRITY
•Appendix G: Assessment Reports
•Appendix I: Ongoing Assessment and Automation
•Appendix J: Privacy Assessment Procedures
17.07.06