The Inner Circle

 View Only
Expand all | Collapse all

NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Call for Comments

  • 1.  NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Call for Comments

    Posted Jul 19, 2022 08:51:00 AM
    Hi All,

    NIST is seeking information for a planned update of the Controlled Unclassified Information (CUI) series of publications, starting with Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. This Pre-Draft Call for Comments solicits feedback from interested parties to improve SP 800-171 and its supporting publications, SP 800-171A, SP 800-172, and SP 800-172A.

    NIST seeks your feedback on the use, potential updates, and opportunities for ongoing improvement to the CUI series. Potential topics for comments and feedback range from how organizations are currently using the CUI series of publications – including how the series is being used with other frameworks and standards (e.g., NIST Risk Management Framework, NIST Cybersecurity Framework, GSA Federal Risk and Authorization Management Program [FedRAMP], DOD Cybersecurity Maturity Model Certification [CMMC], etc.) – to suggestions for features of the CUI series that should be modified, added, or removed.

    How to Comment?
    View the Pre-Draft Call for Comments (https://csrc.nist.gov/publications/detail/sp/800-171/rev-3/draft) for details on how to submit your comments by September 16, 2022.
    Questions about this call for comments? Contact us at [email protected].

    ------------------------------
    Michael Roza CPA, CISA, CIA, MBA, Exec MBA
    ------------------------------


  • 2.  RE: NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Call for Comments

    Posted Jul 20, 2022 09:12:00 AM
    Thanks Michael,
    I have provided the NIST-team my blunt feedback on the NIST 800-171r2 framework etc. Feasible within a "network access world" ... not very elegant in a layer 7 access world without privileges, no 3rd party dependencies, with multilayered encryption and ephemeral connectivity and communication etc. etc. 
    Rather than organisations adapt to NIST 800-171 for CMMC 2.0 certification - and following a process that takes MONTHS and cost thousands of dollars ... you can be CMMC 2.0 compliant in just a few hours.
    Sorry - but I think time is right for avoiding complexity and all these controls - and just add a solution which is delivering or impacting 90% of the NIST 800-171 framework out of the box.
    Cheers,
    /Niels

    ------------------------------
    Niels E. Anqvist
    CEO/President
    ZAFEHOUZE USA / ZAFEHOUZE EMEA
    ------------------------------