Come one, come all, National Institute of Standards and Technology (NIST) wants to hear from you! The comment period is open through September 16, where you can provide questions, comments, and concerns about Protecting Controlled Unclassified Information (CUI), SP 800-53 Control Overlay, as well as, Cybersecurity Framework Profiles. Comments can be submitted to You’ll be able to view all responses to questions on the Protecting CUI project site after the due date.  NIST is looking to get a sense of what CUI in nonfederal systems and organizations are being protected. By doing this they plan to update their CUI series of publications which not only will include updates to 800-171 but also to 800-171A, 800-172, and 800-172A.

This call to action is listed on their website.

questions to ask or topics to send

Need some ideas on what questions to ask or topics to send in regarding the revised 800-171 publication? Here are a few:

  1. How to improve the alignment between the CUI series and other frameworks
  2. How organizations are currently using the CUI series
  3. Any additional ways in which NIST could improve the CUI series

The suite of guidance 800-171, 800-171A, 800-172, and 800-172A focuses on protecting the confidentiality of CUI and recommends specific security requirements to achieve that objective. What we know is that each company is interpreting CUI in different ways, and sometimes the government is labeling information as CUI when really, it doesn’t need to be. We’ve dove into the world in the past about over classification and how that can actually negatively impact systems. I’ve seen so many times companies wanting to access resources but were told that if your company doesn’t hold a clearance you wont be able to get to the platform you need. When you think about it, these platforms that require clearances are largely on the low side. So, what really is being held on there? I’ll give you a hint..starts with CU and ends in I. Essentially, what the government and the federal cyber centers are telling us is that in order to access CUI on unclass systems, you need a clearance? And yet… we can email CUI as long as its encrypted or password protected?

Who Should Respond?

Small companies (in my humble opinion) should be taking full advantage of this call to action. It’s easy to get lost in all the requirements and the stress of what needs to get done to be complying…it’s not lost on the government that some of these tasks for the smaller companies are going to be a much bigger lift than those who are medium, large, or even enterprise. But one thing to remember is that resources are becoming more available as more light is being given to what those requirements will be. Start hiring your support staff, outsource when you can, and stay in-house when possible.

But most importantly, keep in mind this is all to support the warfighter, right? Maybe that means as a collective, bids go up… woah, what a concept.  “Dear Government, if you are requiring us to be compliant with your new fancy standards I am going to have to charge you a bit more, because I am going to need more people which means I am going to need more money. Please don’t be mad at me, or take it out on me, I don’t like when mom and dad fight. Thanks, NJ.”

Actions Speak Louder Than Words

I want to add one more food for thought [as I always do at the end] in the hopes to be your guiding light in this CMMC rollercoaster. The endless rants and complaints about confusion and instability is within your very right to do. But what we love to see in this secret squirrel world is ACTION. We can complain all we want but here is an opportunity to ask more questions, gain more insight, and potentially impact change on their next series of updates. I would find myself hard pressed to continue to have sympathy for those who vocalize how lost they are if they aren’t taking advantage of opportunities like this. At the very least, it’s one email. No more faxing, stamps, sending flares. It is a simple email where you can add additional ways in which NIST could improve the CUI series.


Related News

NJ has over 10 years inside the DoD working for various organizations and cleared defense contractors. With an ear to the ground on all things OPSEC, cyber, machine learning & mental health, she is an untapped keg of open source information.