NIST Announces the Initial Public Drafts of SP 800-171 Rev. 2 and SP 800-171B

Summary

NIST is seeking comments on Draft
NIST Special Publication (SP) 800-171 Revision 2
, Protecting Controlled
Unclassified Information in Nonfederal Systems and Organizations
, and Draft
NIST SP 800-171B
, Protecting Controlled Unclassified Information in
Nonfederal Systems and Organizations: Enhanced Security Requirements for
Critical Programs and High Value Assets.

The public comment period for both publications ends on July 19,
2019
. Comments can also be submitted on a Department of Defense (DoD) cost
estimate for implementing the enhanced security requirements of SP 800-171B.
See the publication details links below for document files and instructions on
submitting comments.

Details

Draft NIST SP 800-171 Rev. 2 provides minor editorial changes in Chapters
One and Two, and in the Glossary, Acronyms, and References appendices. There
are no changes to the basic and derived security requirements in Chapter Three
.
For ease of use, the Discussion sections, previously located in Appendix F (SP
800-171 Rev. 1), have been relocated to Chapter Three to coincide with the
basic and derived security requirements.

Publication details for SP
800-171 Rev. 2:

https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/draft

////////

Draft NIST SP 800-171B, Protecting
Controlled Unclassified Information in Nonfederal Systems and Organizations:
Enhanced Security Requirements for Critical Programs and High Value Assets,
was developed in the spring of 2019 as a
supplement to NIST SP 800-171. This new document offers additional
recommendations for protecting Controlled Unclassified Information (CUI) in
nonfederal systems and organizations where that information runs a higher than
usual risk of exposure. When CUI is part of a critical program or a high value
asset (HVA), it can become a significant target for high-end, sophisticated
adversaries (i.e., the advanced persistent threat (APT)). In recent years,
these critical programs and HVAs have been subjected to an ongoing barrage of serious
cyberattacks, prompting the Department of Defense to request additional
guidance from NIST.

The enhanced security
requirements are to be implemented in addition to the basic and derived
requirements in NIST SP 800-171, since the basic and derived requirements are
not designed to address the APT.  The enhanced security requirements apply
only to components of nonfederal systems that process, store, or transmit CUI
or that provide protection for such components when the designated CUI is
contained in a critical program or HVA. The enhanced security requirements
are only applicable for a nonfederal system or organization when mandated
by a federal agency in a contract, grant, or other agreement.

All public comments received on
Draft NIST SP 800-171B will be posted at both 
https://csrc.nist.gov/projects/protecting-cui/public-comments and https://www.regulations.gov/docket?D=NIST-2019-0002
(Regulations.gov docket no. NIST-2019-0002) without change or redaction,
so commenters should not include information they do not wish to be posted
(e.g., personal or business information). 

The DoD has completed a cost
analysis to provide stakeholders insight into the estimated cost of
implementing the enhanced security requirements in Draft NIST SP 800-171B. The
cost analysis is available for review and comment at the publication details
link below. Please submit any comments regarding the DoD cost analysis
review by July 19, 2019 to
www.regulations.gov/docket?D=DOD-2019-OS-0072
(Regulations.gov docket no. DOD-2019-OS-0072).

Publication details for Draft SP
800-171B (including the document, DoD Cost Estimate, and recommended comment
template):
https://csrc.nist.gov/publications/detail/sp/800-171b/draft

 

NOTE: A call for patent claims
is included in both draft publications. For additional information, see
the “
Information
Technology Laboratory (ITL) Patent Policy–Inclusion of Patents in ITL
Publications”:
https://www.nist.gov/itl/information-technology-laboratory-itl-patent-policy-inclusion-patents-itl-publications.

Please send any questions to sec-cert@nist.gov.