Enhanced Security Requirements for Protecting Controlled Unclassified Information

The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the Federal Government to successfully conduct its essential missions and functions. This publication provides federal agencies with a set of recommended enhanced security requirements for providing additional protection to the confidentiality, integrity, and availability of CUI when it is resident in a nonfederal system and organization and associated with a critical program or high value asset (HVA). It is designed as a supplement to NIST Special Publication (SP) 800-171 to protect against advanced persistent threats (APTs). The security requirements apply to the components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components only when selected and required by federal agencies to manage risks to CUI. The enhanced security requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations. There is no expectation that all of the enhanced security requirements will be selected by federal agencies. The decision to select a particular set of enhanced security requirements will be based on the mission and business needs of federal agencies and guided and informed by agencies’ ongoing risk assessments.