The National Institute of Standards and Technology (NIST) is making updates to key controlled unclassified information (CUI) cybersecurity standards for government contractors.
NIST’s Special Publication (SP) 800-171 are a series of publications dedicated to the protection of CUI. NIST said it plans to streamline portions of the documents and remove several outdated requirements. Other changes currently under consideration reflect current standards and feedback NIST has received from workshops and conferences, and discussions with Federal agencies.
NIST announced its intentions to update the cybersecurity standards for contractors back in July 2022 when it released a call for comments to gather insight on how organizations used the CUI cyber standards document series.
Since the initial publication date in June 2015, cybersecurity threats, vulnerabilities, capabilities, technologies, and resources that impact protection of CUI have changed. In addition, the experiences of the organizations that implemented SP 800-171 have also changed.
With these changes and opportunities to learn from implementers, NIST reviewed and analyzed comments it received during this period on the use, effectiveness, and adequacy, for the ongoing improvement of the CUI series.
Some changes under consideration include:
- Streamlining the Introduction and Fundamentals sections of the document;
- Withdrawing requirements that are either outdated, no longer relevant, or redundant with other requirements;
- Reassigning some of the NFO controls to the CUI, NCO, or FED tailoring categories;
- Adding new requirements based on changes to the NIST moderate control baseline and the reassignment of selected NFO controls;
- Changing the wording of selected requirements to achieve greater clarity and consistency with the controls;
- Combining requirements where appropriate for greater efficiency;
- Adding organizationally defined parameters to selected requirements to achieve greater specificity of control requirements;
- Updating the discussion sections for individual requirements;
- Updating the supplemental information for individual requirements with additional technical references and mapping controls;
- Revising the structure of the References, Glossary, and Acronyms sections for greater clarity and ease of use; and
- Revising the tailoring and mapping tables for consistency with the changes in the requirements section.