EDUCAUSE Comments: NIST SP 800-171, Revision 3

Abstract

EDUCAUSE submitted comments to the National Institute of Standards and Technology (NIST) on January 26, 2024, regarding the near-final draft of the NIST Special Publication (SP) 800-171 cybersecurity guidelines for controlled unclassified information (CUI) held in non-federal information systems (such as those of colleges and universities). The association argued that NIST should wait to release the final draft of SP 800-171, Revision 3, until it could also release the final draft of the revised assessment guide to accompany it, since the latter is often viewed as essential to interpreting and applying the former. EDUCAUSE also suggested that NIST provide more information in SP 800-171, Revision 3, about its guiding principles for the development and deployment of organization-defined parameters (ODPs) in the CUI cybersecurity guidelines to ensure better alignment with the federal information systems cybersecurity guidelines, NIST SP 800-53, from which the CUI guidelines are derived. Finally, the association noted that NIST had left key terms relevant to compliance assessment (e.g., “periodically”) undefined and urged the agency to establish a permanent stakeholder working group to inform future revisions to SP 800-171.