The National Institute of Standards and Technology (NIST) issued a draft of a new set of changes to guidelines focused on protecting unclassified information on May 10.
The changes made will affect the NIST SP 800-171 Revision 3, which focuses on addressing some of the issues that many customers and contractors have run into in the past when it comes to the protection of Controlled Unclassified Information (CUI).
“Many of the newly added requirements specifically address threats to CUI, which recently has been a target of state-level espionage. We want to implement and maintain state-of-the-practice defenses because the threat space is changing constantly,” said Ronald S. Ross, a NIST Fellow.
“We tried to express those requirements in a way that shows contractors what we do and why in federal cybersecurity. There’s more useful detail now with less ambiguity,” said Ross.
Some of the significant changes made to the draft include increasing the security requirements to remove ambiguities and clarify the scope of assessments. As well as introducing organization-defined parameters (ODP) to help increase the amount of flexibility to manage risk.
“Many trade-offs have been made to ensure that the technical and non-technical requirements have been stated clearly and concisely while also recognizing the specific needs of both federal and nonfederal organizations,” stated the agency.
NIST is estimating that before publishing the final version of the draft “the authors plan to revise the set of supporting NIST publications on protecting controlled unclassified information,” stated the agency.
NIST will also be hosting a webinar on June 6, to discuss some of the changes to the guideline draft.
All interested parties will have until July 14, to submit comments or feedback on the draft.