The Ultimate Lithobius Forficatus Quiz

NIST Special Publication 800-171 Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

• This publication provides recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) when the information is resident in nonfederal systems and organizations.

• The security requirements apply to all components of nonfederal systems and organizations that process, store, and/or transmit CUI, or that provide protection for such components.

• The security requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.

• The publication is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130.

• The publication is available free of charge from the National Institute of Standards and Technology (NIST) website.

• The publication is not subject to copyright in the United States, but attribution to NIST is appreciated.

• This publication is derived from Federal Information Processing Standards Publication (FIPS) 200 and NIST Special Publication (SP) 800-53, and is based on the CUI regulation 32 CFR 2002.

• Organizations should not assume that satisfying the requirements in this publication will automatically satisfy the security requirements and controls in FIPS 200 and SP 800-53.

• Organizations interested in or required to comply with the recommendations in this publication are strongly advised to review the complete listing of controls in the moderate baseline in Appendix E to ensure that their individual security plans and control deployments provide sufficient protection.

• The publication provides a direct mapping of CUI security requirements to the security controls in SP 800-53 and ISO 27001, which can be useful for organizations that have implemented the NIST Framework for Improving Critical Infrastructure Cybersecurity.

• The publication acknowledges contributions from individuals and organizations in the public and private sectors, nationally and internationally, whose comments improved the overall quality and usefulness of the publication.

• Comments on this publication may be submitted to NIST for review during designated public comment periods.Protecting Controlled Unclassified Information: Summary of Guidelines

• The federal government relies on external service providers to help carry out federal missions and business functions using information systems.

• Many federal contractors process, store, and transmit sensitive federal information to support the delivery of essential products and services to federal agencies.

• The protection of unclassified federal information in nonfederal systems and organizations is dependent on the federal government providing a process for identifying the different types of information that are used by federal agencies.

• The Controlled Unclassified Information (CUI) Program was established to standardize the way the executive branch handles unclassified information that requires protection.

• The CUI Program is designed to address several deficiencies in managing and protecting unclassified information to include inconsistent markings, inadequate safeguarding, and needless restrictions.

• The CUI Registry is the online repository for information, guidance, policy, and requirements on handling CUI, including issuances by the CUI Executive Agent.

• The purpose of this publication is to provide federal agencies with recommended security requirements for protecting the confidentiality of CUI when the CUI is resident in a nonfederal system and organization.

• The requirements apply to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.

• The recommended security requirements in this publication are intended for use by federal agencies in appropriate contractual vehicles or other agreements established between those agencies and nonfederal organizations.

• The tailoring criteria described in Chapter Two are not intended to reduce or minimize the federal requirements for the safeguarding of CUI as expressed in the federal CUI regulation.

• The requirements in this publication have been tailored for nonfederal entities but do not diminish the level of protection of CUI required for moderate confidentiality.

• Additional or differing requirements, other than the requirements described in this publication, may be applied only when such requirements are based on law, regulation, or governmentwide policy and when indicated in the CUI Registry as CUI-specified or when an agreement establishes.Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

• The security requirements for protecting Controlled Unclassified Information (CUI) are defined by the National Institute of Standards and Technology (NIST) in Special Publication (SP) 800-171 Revision 2.

• The requirements apply to nonfederal organizations that own, operate, or maintain nonfederal systems, such as state and local governments, colleges and universities, and contractors.

• The potential impact of a breach of security on organizations, assets, or individuals is defined as low, moderate, or high, based on the loss of confidentiality.

• The safeguarding requirements for CUI in a specified category are addressed by the National Archives and Records Administration (NARA) and reflected in contracts or agreements.

• Nonfederal organizations may use the same CUI infrastructure for multiple government contracts or agreements, if the infrastructure meets the safeguarding requirements for the organization's CUI-related contracts and/or agreements.

• The publication serves a diverse group of individuals and organizations in both the public and private sectors with system development, acquisition, management, and oversight responsibilities.

• The security requirements have a well-defined structure that consists of a basic security requirements section and a derived security requirements section.

• The basic security requirements are obtained from Federal Information Processing Standards Publication (FIPS) 200, while the derived security requirements are taken from the security controls in SP 800-53.

• The security requirements are organized into fourteen families that align with the minimum-security requirements for federal information and systems described in FIPS 200.

• A discussion section follows each CUI security requirement providing additional information to facilitate implementation and assessment of the requirements.

• The security requirements developed represent a subset of the safeguarding measures necessary for a comprehensive information security program.

• Nonfederal organizations are encouraged to refer to SP 800-53 for a complete listing of security controls in the moderate baseline deemed out of scope for the security requirements in Chapter Three.NIST SP 800-171: Protecting Controlled Unclassified Information

• NIST SP 800-171 is a publication that provides recommended security requirements for nonfederal organizations that process, store, or transmit controlled unclassified information (CUI).

• Nonfederal organizations must implement security requirements to protect CUI, which includes 14 security control families and 110 security requirements.

• The security requirements in NIST SP 800-171 are based on existing and recognized security standards and control sets, such as ISO 27001 or SP 800-53.

• Nonfederal organizations must develop a system security plan that describes how security requirements are implemented, the system boundary, operational environment, and relationships with other systems.

• Plans of action must also be developed to describe how unimplemented security requirements will be met and how planned mitigations will be implemented.

• The discussion section associated with each CUI requirement is informative, not normative, and does not intend to extend the scope of a requirement or influence the solutions organizations may use to satisfy a requirement.

• Compensatory security measures selected by organizations must be based on or derived from existing and recognized security standards and control sets.

• The recommended security requirements in NIST SP 800-171 apply only to the components of nonfederal systems that process, store, or transmit CUI or provide protection for such components.

• The term "organizational system" refers to the components of nonfederal systems that process, store, or transmit CUI or provide protection for such components.

• Access control policies control access between active entities or subjects and passive entities or objects in systems.

• Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of both.

• Information flow control regulates where information can travel within a system and between systems, and organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information.