Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

NIST issues updated security requirements and assessment procedures for protecting controlled unclassified information

Privacy, Cyber Risk & Data Security NIST Federal Issues

Privacy, Cyber Risk & Data Security

On May 14, the National Institute of Standards and Technology (NIST) released “Revision 3” to Special Publication 800-171 (Protecting Controlled Unclassified Information on Nonfederal Systems and Organizations) and 800-171A (Assessing Security Requirements for Controlled Unclassified Information) for federal contractors and other entities that do business with the federal government and handle controlled unclassified information. The revisions were intended to create better alignment with the controls set forth in Special Publication 800-53 Rev. 5 (Security and Privacy Controls for Information Systems and Organizations), realign controls based on new tailoring criteria, and to directly tie specific controls to the handling of controlled unclassified information. The revisions further implemented the framework set forth in Executive Order 13556 – Controlled Unclassified Information, and give the private sector more clarity by tailoring the moderate baseline for controls in Special Publication 800-53 Rev. 5 to withdraw the requirements that are, among other things, primarily the responsibility of the federal government, not directly related to the protection of controlled unclassified information, or are adequately addressed through other related controls. The updates will also allow for more specific tailoring of organizational controls to security standards, increasing flexibility. Finally, the assessment procedures in Special Publication 800-171A for determining whether a contractor or other entity would be compliant with Special Publication 800-171 was updated to align with the new revisions in Special Publication 800-171. These updates will come at a time when the Department of Defense will continue to implement the Cybersecurity Maturity Model Capability, covered by InfoBytes here.