Controlled Unclassified Information (CUI) became a thing in November 2010 with the signing of EO 13556. But like all things government policy, that documentation was just a foreshadowing of what was to come, and many security professionals, particularly those in industry, have been waiting for implementation guidance and clarity. This week the National Institute of Standards and Technology (NIST) has done just that with the publication of its finalized guidelines for protecting this data: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST Special Publication [SP] 800-171, Revision 3), and Assessing Security Requirements for Controlled Unclassified Information (NIST SP 800-171A, Revision 3).
“For the sake of our private sector customers, we want our guidance to be clear, unambiguous and tightly coupled with the catalog of controls and assessment procedures used by federal agencies,” said NIST’s Ron Ross, one of the publications’ authors, in an article published on the NIST website. “This update is a significant step toward that goal.”
CUI, more than your typical national security classification system, has been a work in progress over the past decade. In the past several years, two of the biggest issues have been widely diverse policies and implementation strategies among contractors, along with a bent toward over categorizing, or slapping CUI markers on information that isn’t truly sensitive.
The move by NIST to more unambiguous guidance more tightly tied to other efforts to streamline the Defense Industrial Base, specifically the implementation of CMMC, is a step in the right direction. Too many companies today are marching to their own CUI beat. Like many things in the contracting space, it’s taken several years for clarity in contract rules and awards when it comes to CUI. And there will be more contract clean up and clarification needed in the years to come.
New NIST guidance also includes updated assessment procedures, which will hopefully help more individual security officers and companies to ensure they’re maintaining compliance, without creating redundant or excessive policies around CUI. This additional guidance on security requirement assessments was a direct response to feedback provided during the policy’s public comment period.
