The National Institute of Standards and Technology (“NIST”) has extended the comment period on its recently released draft documents, NIST SP 800-171 Revision 2 and NIST SP 800-171B. The comment period for both NIST SP 800-171 Revision 2 and NIST SP 800-171B was initially open until July 19, 2019. It was recently extended to August 2, 2019.
NIST SP 800-171 Revision 2 contains only minor editorial revisions from the previous version and does not make any changes to the basic and derived security requirements outlined in Chapter Three. In comparison, NIST SP 800-171B contains new security recommendations for protecting Controlled Unclassified Information (“CUI”) in nonfederal systems and organizations where there is a higher than usual risk of exposure. The risk of exposure is heightened when CUI is part of a high value asset (“HVA”) or a critical program because it can become a target for sophisticated adversaries. In recent years, attacks on these HVAs and critical programs have increased, thus spurring the Department of Defense to ask NIST for greater protections. The resulting NIST SP 800-171 B is intended to be implemented in addition to the basic requirements laid out in NIST SP 800-171. These enhanced requirements are only applicable for a nonfederal system or organization when mandated by a federal agency in a contract, grant, or other agreement.