Hi All,
NIST has published the final versions of:
SP 800-171r3 (Revision 3), Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and
SP 800-171Ar3, Assessing Security Requirements for Controlled Unclassified Information.
Major updates to SP 800-171r3 include:
• Restructured security requirements to show direct alignment with SP 800-53r5 controls
• Introduction of organization-defined parameters (ODP)
• New tailoring criteria to reduce potential redundancy and improve clarity
• Recategorization of controls based on the new tailoring criteria
• Outcome-oriented guidance to reduce ambiguity and better support implementation
NIST is also issuing a CUI Overlay, an FAQ, and an analysis of changes between SP 800-171r2 and SP 800-171r3.
Major updates to SP 800-171Ar3 include:
• Modifications to achieve consistency with the SP 800-171r3 security requirements and source SP 800-53Ar3 assessment procedures
• Modifications to the assessment procedure structure and syntax
• Inclusion of ODPs to facilitate traceability and usability
• Guidance on conducting security requirement assessments
• A one-time "revision number" change for consistency and alignment with SP 800-171r3
The security requirements and assessment procedures have been issued concurrently through the Cybersecurity and Privacy Reference Tool (CPRT) Cybersecurity and Privacy Reference Tool | CSRC | CSRC https://csrc.nist.gov/projects/cprt to give users additional ways to access the datasets (i.e., via browser, download as a spreadsheet, and JSON).
For more information about the NIST Protecting CUI Project and other resources, see: https://csrc.nist.gov/Projects/protecting-controlled-unclassified-information. Please direct questions and comments to [email protected].
------------------------------
Michael Roza CPA, CISA, CIA, CC, MBA, Exec MBA, CSA Research Fe
------------------------------