The National Institute of Standards and Technology has issued a pre-draft call for comments on four publications that explain how to protect the confidentiality of sensitive government data held on nonfederal systems, which are critical to the Pentagon's Cybersecurity Maturity Model Certification program.
The agency plans to start with NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and is asking for “feedback from interested parties to improve the publication and its supporting publications, SP 800-171A, SP 800-172, and SP 800-172A,” according to a NIST announcement on Tuesday. The agency is accepting comments through Sept. 16.
“SP 800-171 was published in June 2015 with minor updates in December 2016 and February 2020," NIST said. "Since the initial publication date, there have been significant changes in the cybersecurity threats, vulnerabilities, capabilities, technologies, and resources that impact the protection of CUI.”
“In addition,” the agency said, “there are the experiences of the organizations that have implemented SP 800-171 and its supporting publications. With these changes and opportunities to learn from implementers, NIST seeks feedback about the use, effectiveness, adequacy, and ongoing improvement of the CUI series.”
NIST wants comments in three areas: “Use of the CUI series”; “Updates for Consistency with SP 800-53 Revision 5 and SP 800-53B”; and “Updates to improve visibility and implementation.”
On use, NIST asks for information on:
1. How organizations are currently using the CUI series (SP 800-171, SP 800-171A, SP 800-172, and SP 800-172A)
2. How organizations are currently using the CUI series with other frameworks and standards (e.g., NIST Risk Management Framework, NIST Cybersecurity Framework, GSA Federal Risk and Authorization Management Program [FedRAMP], DOD Cybersecurity Maturity Model Certification [CMMC], etc.)
3. How to improve the alignment between the CUI series and other frameworks
4. Benefits of using the CUI series
5. Challenges in using the CUI series
The 800-171 series provides a tailored approach on how to use NIST’s massive catalog for security and privacy controls, known as Special Publication 800-53, using the moderate baseline and other requirements in Federal Information Processing Standards Publication (FIPS) 200. NIST described 800-53 Rev. 5 as a “complete renovation” to the publication when it was released in September 2020.
The pre-draft call asks for feedback on the “[i]mpact on the usability and existing organizational implementation (i.e., backward compatibility) of the CUI series if it were updated for consistency with SP 800-53 Revision 5 and the moderate security control baseline in SP 800-53B.”
When it comes to visibility, NIST wants input on:
1. Features of the CUI series should be changed, added, or removed. Changes, additions, and removals can cover a broad range of topics, from consistency with other frameworks and standards to rescoping criteria for inclusion of requirements. For example:
a. Addition of new resources to support implementation: The benefits and challenges of including an SP 800-53 Control Overlay and/or a Cybersecurity Framework Profile Appendix as an alternative way to express the CUI security requirements.
b. Change to the security requirement tailoring criteria: Impact of modifying the criteria used to tailor the moderate SP 800-53B security control baseline (e.g., the potential inclusion of controls that are currently categorized as NFO – Expected to be routinely satisfied by nonfederal organizations without specification)
2. Any additional ways in which NIST could improve the CUI series
NIST said the list of topics is “non-exhaustive” adding, “Comments may also include other topics related to the improvement of the CUI series. NIST will consider all relevant topics in the development of the revised SP 800-171 and its supporting publications.”
NIST’s Victoria Pillitteri provided a preview of what to expect at a CMMC conference in May. She said “the intention” is for NIST to learn from the stakeholder community “on how to improve and better streamline these resources so they are more usable and more effective and ultimately they increase how we implement cybersecurity and improve the outcomes.”
Pillitteri is the acting manager of NIST Security Engineering and Risk Management Group.
NIST 800-171 is foundational to DOD’s CMMC program. As part of the CMMC 2.0 revamp, the Pentagon decided to make CMMC level two align more closely with the 110 controls in NIST 800-171.
In December, Pentagon assessment leader John Ellis said DOD plans to ask NIST to put the additional 20 controls in level three of the old CMMC model into the NIST 800-171 update.
“That could be a comment that DOD submits to us. It is premature to say NIST is making any decisions. The whole point of the pre-call for comments is to see the breadth of stakeholders,” Pillitteri told Inside Cybersecurity on the sidelines of the May conference.
“DOD is a huge stakeholder but just one stakeholder," she said. "All of the other federal agencies could also leverage the CUI security requirements so we understand DOD’s need but we also have to balance, 171 came before CMMC so we serve a broader audience than just DOD.”
“It is all derived from 800-53 so at the bare minimum we need to re-evaluate what has changed in 800-53 to make those corresponding changes in 800-171. That’s something we can promise we will do,” Pillitteri said.