You are currently viewing NIST wants your feedback on CUI programs

NIST wants your feedback on CUI programs

Come all, come all, the National Institute of Standards and Technology (NIST) wants to hear from you! The comment period is open until September 16, where you can submit questions, comments, and concerns regarding the protection of controlled unclassified information (CUI), the SP 800-53 control overlay, as well as cybersecurity framework. Comments can be submitted to You will be able to see all the answers to the questions on the Protecting CUI project site after the deadline. NIST seeks to get an idea of ​​what CUIs in non-federal systems and organizations are protected. In doing so, they plan to update their CUI release series which will include not only updates to the 800-171, but also to the 800-171A, 800-172, and 800-172A.

This call to action is listed on their website.

questions to ask or topics to send

Need ideas on questions to ask or topics to submit regarding the revised 800-171 publication? Here are a few:

  1. How to improve alignment between CUI series and other frameworks
  2. How Organizations Are Currently Using the CUI Series
  3. All the other ways NIST could improve the CUI series

The 800-171, 800-171A, 800-172, and 800-172A series of guidelines focus on protecting CUI privacy and recommend specific security requirements to achieve this goal. What we do know is that every company interprets CUI in different ways, and sometimes the government labels the information as CUI when it doesn’t really need to be. We’ve dived into the world in the past about overclassification and how it can negatively impact systems. I’ve seen companies wanting to access resources so many times, but I’ve been told that if your company doesn’t have permission, you won’t be able to access the platform you need. When you think about it, those platforms that require permissions are largely on the low side. So what is really standing there? I’ll give you a hint…starts with CU and ends with I. Basically what the government and federal cyber centers are telling us is that to access CUI on unclassified systems, you need an authorization ? And yet… we can send email to CUI as long as it’s encrypted or password protected?

Who should answer?

Small businesses (IMHO) should take full advantage of this call to action. It’s easy to get lost in all the requirements and stress of what needs to be done to comply… the government is mindful that some of these tasks for small businesses are going to be much bigger than the big ones medium, large or even enterprise. But one thing to remember is that resources become more available as more light is shed on what those requirements will be. Start hiring your support staff, outsource when you can, and stay in-house when possible.

But most importantly, keep in mind that it’s all about supporting the fighter, right? Maybe that means as a collective the bidding is going up… woah, what a concept. “Dear Government, if you ask us to meet your fancy new standards, I’m going to have to charge you a bit more, because I’m going to need more people, which means I’m going to need more money. Please don’t be mad at me, or pick on me, I don’t like when mom and dad fight. Thanks, NJ.

Action speaks louder than words

I want to add another food for thought [as I always do at the end] hoping to be your beacon in this CMMC roller coaster. Endless rants and complaints about confusion and instability are totally within your rights. But what we love to see in this secret squirrel world is ACTION. We can complain all we want, but here’s an opportunity to ask more questions, get more information, and potentially impact their next round of updates. I would find it hard to continue to have sympathy for those who express how lost they are if they don’t take advantage of opportunities like this. At the very least, it’s an email. No more faxes, stamps, sending flares. This is a simple email where you can add other ways NIST could improve the CUI series.

Leave a Reply