NIST releases more guidance on protecting unclassified information

The new procedures for agencies and vendors won't apply to national security systems without the relevant approvals.
(NIST photo)

The National Institute of Standards and Technology released procedures Tuesday for agencies and industry to assess how they protect unclassified information that requires safeguarding.

Procedures in Special Publication (SP) 800-172A, entitled “Assessing Enhanced Security Requirements for Controlled Unclassified Information,” can be tailored for self-, third-party or government-sponsored assessments.

The NIST IT Laboratory developed the procedures so agencies and vendors handling government’s controlled unclassified information (CUI) can gauge their progress implementing protections introduced in SP 800-172.

“The protection of CUI in nonfederal systems and organizations is important to federal agencies and can directly impact the ability of the federal government to successfully carry out its assigned missions and business operations,” reads the SP.


Still the guidelines won’t apply to national security systems without the approval of the appropriate agencies, like the Office of Management and Budget, and are voluntary for industry.

SP 800-172 explains how to ensure the confidentiality, integrity and availability of CUI linked to high-value assets or critical programs. SP 800-172A explains how to assess that work to:

  • identify gaps in security and risk management programs,
  • find vulnerabilities in information systems and their environments,
  • prioritize risk mitigation,
  • confirm vulnerabilities have been addressed,
  • support continuous monitoring, and
  • provide information security situational awareness.

The guidance takes into account agencies and organizations have different requirements, known threat and vulnerability information, system and platform dependencies, operational considerations, and risk tolerance.

Procedures are intended for chief information officers, privacy officers and information security officers, but also system developers and assessors, among other officials and professionals.


Assessment procedures in SP 800-172A correspond to CUI security requirements in SP 800-172.

The guidance further covers product assessments of security functions and configuration settings, generally performed by third-party testers.

“Assessments can also be conducted to demonstrate compliance to industry, national or international security standards, as well as developer and vendor claims,” reads the SP. “Since many information technology products are assessed by commercial testing organizations and then subsequently deployed in hundreds of thousands of systems, these assessments can be carried out at a greater level of depth and provide deeper insights into the security capabilities of the products.”

Latest Podcasts