Controlled Unclassified Information

NIST releases draft of pending CUI supplemental requirements

On July 6, 2020, NIST released Final Public Draft Special Publication 800-172 (Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST SP 800-171). This publication recommends enhanced security requirements for CUI, noting the rising presence of advanced persistent threat (APT). APT has been found to be particularly adept at resisting current protection measures and evolving to conduct a series of coordinated and multi-faceted attacks over a long period of time. Therefore, these safeguards would be implemented in addition to current CUI requirements that do not cover APT specifically.

In terms of focus, these measures utilize a strategy of (1) penetration-resistant architecture, (2) damage-limiting operations, and (3) designing for cyber resiliency systems that reinforce one another while addressing APT survivability. The measures would be applicable when the information resides in a nonfederal system, when a nonfederal organization is not maintaining CUI on behalf of a federal agency, and when there are no specific safeguarding requirements regarding CUI already. It is also applicable only to these nonfederal systems that process, store, or transmit CUI, or any systems that provide protection for the CUI systems.

The release of this publication is an update to a previous draft of the policy from spring 2019. The full announcement can be found online, and NIST is currently encouraging comments to be submitted prior to August 21, 2020 in order to help shape the final publication.

Additional Information: