The purpose of this document is to establish the process for evaluating sensitive, unclassified information in National Cancer Institute (NCI) nonfederal systems, also known as the NIST 800-171 Controlled Unclassified Information (CUI) evaluation process. This document is intended for individuals and organizations with responsibilities for
System development life cycle (e.g., program managers, information owners, developers, system/security engineers);
Acquisition or procurement (e.g., contracting officers);
System, security, or risk management and oversight (authorizing officials, information security officers, system owners); and
Security Assessment and monitoring (auditors, assessors, and analysts).
This document applies to nonfederal systems used to house NCI data. A determination of federal system vs. non-federal system can be made by examining accountability for and control of a system's information, and whether the government directed the establishment of the system. For example, if the government has directed or mandated (e.g., through a contractual arrangement or other means of federal support), the creation or operation of an information system, or if the government will have access to the system or will take possession of the data in the system, it is probably a federal information system, and CUI 800-171 would not apply, but rather FISMA law would apply. Contracting with a non-federal organization to host or operate your system does not exclude the system from federal regulations. If you are uncertain about whether yours is a federal information system, please contact the NCI ISSO's office for clarification.
The following are some examples of nonfederal CUI systems, but the list is not exhaustive:
• A privately operated research and development system, performing research on a novel drug compound, medical device, therapy, etc. from which discoveries or outcomes may be shared with the government.
• An external payment processing provider that processes stipends for government clinical trial participants.
• An external entity registration system used store government contract award and awardee information.
• An externally operated HR/personnel system used to process government payrolls.
• Information systems’ vulnerability information held by a third-party vendor in their own proprietary system.
• An external system holding data revealing details of government IT infrastructure used for servers, desktops, and networks.
The 800-171 process provides stakeholders with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) when the information is resident in nonfederal systems and organizations; when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency, or using or operating a system on behalf of an agency; and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category listed in the CUI Registry. The 800-171 requirements apply to all components of nonfederal systems and organizations that process, store, and/or transmit CUI, or that provide protection for such components.
NCI CUI data stored in a nonfederal system may impact the security controls and security state of the system and the CUI data. Data stored in nonfederal systems may also present new vulnerabilities to the NCI data. An 800-171 security evaluation is the process of evaluating nonfederal systems and their impact to the overall risk to the NCI data. Use of nonfederal systems to store and process NCI CUI data must be evaluated and shall be documented in NCI’s central application inventory and listed as a CUI/800-171 resource.
Following is a depiction of the NIST 800-171 Controlled Unclassified Information evaluation process.