Home › Forums › Groups Forums › Knowledge Management & Information Sharing › Protecting Controlled Unclassified Information › Revision of NIST SP 800-171 – Ask Your Questions Now › Reply To: Revision of NIST SP 800-171 – Ask Your Questions Now
It is our impression the National Archives in coordination with other U.S. Government organizations are working hard to standardize the methods for protecting Controlled Unclassified Information. The challenge we as contractors face are historical/traditional protection methodologies from a risk adverse perspective. We have to be prepared to carefully communicate to our government colleagues the changes that are taking place from a CUI perspective and compliance isn’t the only answer.
We have guided both our internal and external customers through demands based upon variable requirements. We have noticed many of the conflicting requirements are not focused on protecting CUI but providing additional data integrity or availability protection methods. Examples of these protections have focused on fiscal, laboratory testing and aviation safety requirements.
It is our recommendation that you work closely with your companies contracting and leadership organizations when conflicting requirements are discovered. Your security engineers will need to clearly identify the ‘171 requirements in addition to specific security controls that have been identified to protect your specialized system based upon contractual requirements. You will need to bring this information forward to your management teams in order to create a clear understanding what is CUI and what isn’t. Your efforts may enable your company’s leadership team to negotiate the specialized protection requirements costs with the government versus absorbing the costs.
As you are aware, each of these situations will need to be handled on a case by case basis. In the long run your enterprise architecture may end up evolving to protect CUI and specialized data and information from internal and external threats.