Guidance for NIST 800-171 Assessment & Compliance
The purpose of this publication is to provide federal agencies with recommended security requirements for protecting the confidentiality of CUI when the CUI is resident in a nonfederal system and organization; when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency;6 and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry.7 The security requirements apply only to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.8 The security requirements are intended for use by federal agencies in appropriate contractual vehicles or other agreements established between those agencies and nonfederal organizations. In CUI guidance and the CUI Federal Acquisition Regulation (FAR),9 the CUI Executive Agent will address determining compliance with security requirements.10
In accordance with the federal CUI regulation, federal agencies using federal systems to process, store, or transmit CUI, as a minimum, must comply with:
•Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems (moderate confidentiality impact);11
•Federal Information Processing Standards (FIPS) Publication 200, Minimum Security Requirements for Federal Information and Information Systems;
•NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations; and
•NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories.12
The responsibility of federal agencies to protect and ensure the control of CUI does not change when such information is shared with nonfederal partners. Therefore, a similar level of protection is needed when CUI is processed, stored, or transmitted by nonfederal organizations using nonfederal systems.13 The specific requirements for safeguarding CUI in nonfederal systems and organizations are derived from the above authoritative federal standards and guidelines to maintain a consistent level of protection. However, recognizing that the scope of the safeguarding requirements in the federal CUI regulation is limited to the security objective of confidentiality (i.e., not directly addressing integrity and availability) and that some of the security requirements expressed in the NIST standards and guidelines are uniquely federal, the requirements in this publication have been tailored for nonfederal entities.
The tailoring criteria, described in Chapter Two, are not intended to reduce or minimize the federal requirements for the safeguarding of CUI as expressed in the federal CUI regulation. Rather, the intent is to express the requirements in a manner that allows for and facilitates the equivalent safeguarding measures within nonfederal systems and organizations and does not diminish the level of protection of CUI required for moderate confidentiality. Additional or differing requirements other than those requirements described in this publication may be applied only when such requirements are based on law, regulation, or governmentwide policy and when indicated in the CUI Registry as CUI-specified. The provision of safeguarding requirements for CUI in a particular specified category will be addressed by NARA in its CUI guidance and in the CUI FAR, and reflected as specific requirements in contracts or other agreements.
If nonfederal organizations entrusted with protecting CUI designate systems or components for the processing, storage, or transmission of CUI, those organizations may limit the scope of the security requirements to only those systems or components. Isolating CUI into its own security domain by applying architectural design concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices) may be the most cost-effective and efficient approach for nonfederal organizations to satisfy the security requirements and protect the confidentiality of CUI. Security domains may employ physical separation, logical separation, or a combination of both. This approach can reasonably provide adequate security for the CUI and avoid increasing the organization’s security posture to a level beyond which it typically requires for protecting its missions, operations, and assets. Nonfederal organizations may choose to use the same CUI infrastructure for multiple government contracts or agreements, as long as the CUI infrastructure meets the safeguarding requirements for all of the organization’s CUI-related contracts and/or agreements including any specific safeguarding required or permitted by the authorizing law, regulation, or governmentwide policy.
| 6) | Nonfederal organizations that collect or maintain information on behalf of a federal agency or that use or operate a system on behalf of an agency, must comply with the requirements in FISMA, including the requirements in FIPS Publication 200 and the security controls in NIST Special Publication 800-53 (See 44 USC 3554(a)(1)(A)). |
| 7) | The requirements in this publication can be used to comply with the FISMA requirement for senior agency officials to provide information security for the information that supports the operations and assets under their control, including CUI that is resident in nonfederal systems and organizations (See 44 USC 3554(a)(1)(A) and 3554(a)(2)). |
| 8) | System components include, for example: mainframes, workstations, servers; input and output devices; network components; operating systems; virtual machines; and applications. |
| 9) | NARA, in its capacity as the CUI Executive Agent, plans to sponsor in 2017, a single FAR clause that will apply the requirements of the federal CUI regulation and NIST Special Publication 800-171 to contractors. Until the formal process of establishing such a single FAR clause takes place, the security requirements in NIST Special Publication 800-171 may be referenced in federal contracts consistent with federal law and regulatory requirements. |
| 10) | NIST Special Publication 800-171A (projected for publication in 2017) a companion publication, will provide assessment procedures to help organizations determine compliance to the security requirements in Chapter Three. |
| 11) | FIPS Publication 199 defines three values of potential impact (i.e., low, moderate, high) on organizations, assets, or individuals should there be a breach of security (e.g., a loss of confidentiality). The potential impact is moderate if the loss of confidentiality could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. |
| 12) | NIST Special Publication 800-60 is under revision to align with the CUI categories and subcategories in the CUI Registry. |
| 13) | A nonfederal organization is any entity that owns, operates, or maintains a nonfederal system. Examples include: State, local, and tribal governments; colleges and universities; and contractors. |
