This document is intended for individuals and organizations with responsibilities for
- System development life cycle (e.g., program managers, information owners, developers, system/security engineers);
- Acquisition or procurement (e.g., contracting officers);
- System, security, or risk management and oversight (authorizing officials, information security officers, system owners); and
- Security Assessment and monitoring (auditors, assessors, and analysts).
The 800-171 process provides stakeholders with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) when the information is resident in nonfederal systems and organizations; when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency, or using or operating a system on behalf of an agency; and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category listed in the CUI Registry. The 800-171 requirements apply to all components of nonfederal systems and organizations that process, store, and/or transmit CUI, or that provide protection for such components.
NCI CUI data stored in a nonfederal system may impact the security controls and security state of the system and the CUI data. Data stored in nonfederal systems may also present new vulnerabilities to the NCI data. An 800-171 security evaluation is the process of evaluating nonfederal systems and their impact to the overall risk to the NCI data. Use of nonfederal systems to store and process NCI CUI data must be evaluated and shall be documented in NCI’s central application inventory and listed as a CUI/800-171 resource.
Following is a depiction of the NIST 800-171 Controlled Unclassified Information evaluation process.
