NIST SP 800-171 PDF

PURPOSE AND APPLICABILITY

The purpose of this publication is to provide federal agencies with recommended requirements for protecting the confidentiality of CUI: (i) when the CUI is resident in nonfederal information systems and organizations; (ii) when the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies;8 and (iii) where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry. The requirements apply only to components9 of nonfederal information systems that process, store, or transmit CUI, or that provide security protection for such components. The CUI requirements are intended for use by federal agencies in appropriate contractual vehicles or other agreements established between those agencies and nonfederal organizations. In CUI guidance and the CUI Federal Acquisition Regulation (FAR),10 the CUI Executive Agent will address determining compliance with CUI requirements.

In accordance with the proposed federal CUI regulation, federal agencies using federal information systems to process, store, or transmit CUI, as a minimum, must comply with:

• Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems (moderate confidentiality impact);11

• Federal Information Processing Standards (FIPS) Publication 200, Minimum Security Requirements for Federal Information and Information Systems;

• NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations; and

• NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories.12