The information security framework previously applicable to federal organizations only is now applicable to some nonfederal organizations, including state and local governments, colleges and universities, tribal governments, and independent research organizations.
The National Institute of Standards and Technology (NIST) published Special Publication 800-171 (NIST 800-171), Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations in June 2015 (updated January 21, 2016). With this new standard, the federal government is extending mandatory safeguards to nonfederal organizations that process, store, or transmit CUI. Examples of CUI include health documents, proprietary material, and information related to legal proceedings. Compliance with the framework is mandatory by December 31, 2017.
There are 14 families of security requirements outlined in NIST 800-171, comprising 109 individual controls.
These controls evolved from NIST 800-53 to protect CUI in nonfederal IT systems from unauthorized disclosure. Some of the requirements are specific to the handling of CUI, while others apply to the entire network, all users, or the whole facility.
If you’re one of the nonfederal organizations that handle CUI, it’s important that you are prepared for compliance with NIST 800-171. Non-compliance may result in lost federal contracts, financial penalties, or breach of sensitive systems or data.
The best place to start is to perform a gap assessment.
You use the assessment to:
- Measure in-scope systems and units against the NIST 800-171 standard controls
- Target, analyze and report areas in which the standard/control is not properly met
- Prioritize and correct the standard/controls to ensure compliance