Image

Where did this requirement originate? Who is responsible for the program?
Executive Order 13556 (11/10/2010) designated the National Archives and Records Administration (NARA) as the Executive Agent to implement the CUI program, for which the Information Security Oversight Office (ISOO) of the National Archives and Records Administration is responsible. In April of 2013, ISSO issued a memorandum to government agency leads on the management of the CUI program. In September 2016, ISOO released notice 2016-01 outlining the implementation guidance for CUI, and a later notice 2017-01 was issued in June of 2017 with recommendations for implementation of the CUI program. Below are excerpts of that notice (2017-01).A bit of background “The Information Security Oversight Office (ISOO) exercises Executive Agent responsibilities for the CUI Program. In consultation with the Office of Management and Budget and affected agencies, on September 14, 2016, ISOO issued CUI Notice 2016-01, 'Implementation Guidance for the Controlled Unclassified Information Program.' CUI Notice 2016-01 outlines the phased implementation deadlines for agencies and describes the significant elements of a CUI Program.” Program management "ISOO’s memorandum to the heads of executive departments and agencies, “Appointments of Senior Agency Official and Program Manager for the Controlled Unclassified Information (CUI) Program Implementation,” dated April 11, 2013, requested that agencies affirm or update their initial designations of their CUI Senior Agency Official (SAO) and also requested that they assign a CUI Program Manager (PM)."
Who is impacted by NIST 800-171?
Anyone (individual or business/contractor) who processes, stores, or transmits information (that falls into one of many CUI categories) for or with federal or state agencies is impacted. This includes all governmental contractual relationships. A list of categories of CUI information has been made available by NARA here.What are the 800-171 requirements?
There are 14 categories of security requirements that must be met. Each category has a unique set of policy tests in which affected programs must meet.- Access Control
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Physical Protection
- Personnel Security
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity