Page History

...

This document applies to nonfederal systems used to house NCI data. A determination of federal system vs. non-federal system can be made by examining accountability for and control of a system's information, and whether the government directed the establishment of the system. For example, if the government has directed or mandated (e.g., through a contractual arrangement or other means of federal support), the creation or operation of an information system, or if the government will have access to the system or will take possession of the data in the system, it is probably a federal information system, and CUI 800-171 would not apply, but rather FISMA law would apply. Contracting with a non-federal organization to host or operate your system does not exclude the system from federal regulations. If you are uncertain about whether yours is a federal information system, please contact the NCI ISSO's office for clarification.

The following are some examples of nonfederal CUI systems, but the list is not exhaustive:

The 800-171 process provides stakeholders with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) when the information is resident in nonfederal systems and organizations; when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency, or using or operating a system on behalf of an agency; and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category listed in the CUI Registry. The 800-171 requirements apply to all components of nonfederal systems and organizations that process, store, and/or transmit CUI, or that provide protection for such components.

...