The National Institute of Standards and Technology has delayed the release of cybersecurity standards used by Defense Department contractors, pending the review by the White House's Office of Management and Budget of related standards for protecting the privacy and security of all government data.
NIST Special Publication 800-171, Revision 2, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," is on hold "until review cycle completion of SP 800-53 by Office of Management and Budget, Office of Information and Regulatory Affairs due to dependencies on SP 800-53," according to the agency's website updated today.
NIST SP 800-171B, which was proposed in June as a "supplement" to address strategic threats from foreign adversaries, is also on hold pending the outcome of OIRA's review of NIST SP 800-53.
The comment period on SP 800-171 and 800-171B closed on Aug. 2. NIST was poised to issue 800-171 as a final document, and 800-171B as a final draft for a second round of comments, but those plans have been put on hold.
Revision 5 for NIST 800-53 was initially proposed in August 2017, and includes next-generation controls on privacy, cyber resiliency, supply chain, and trustworthy system design, according to the agency. The standards are part of a broader effort for updating federal data management practices initiated by the Obama administration in the wake of the Office of Personnel Management breach.
NIST SP 800-171 guidelines are at the core of cyber-incident reporting requirements included in contracts by DOD for the handling of controlled unclassified information.
NIST hosted a public meeting on CUI standards last fall, where the proposed revisions for SP 800-171 were discussed.