American Digital Services adheres to NIST SP 800-171 Revision 3 for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations. Revision 3 introduces updates to enhance the security requirements and controls.
https://csrc.nist.gov/pubs/sp/800/171/r3/final
The protection of Controlled Unclassified Information (CUI) residents in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its assigned missions and business operations. This publication provides federal agencies with a set of recommended security requirements for protecting the confidentiality of CUI when such information is resident in nonfederal systems and organizations; when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry. The security requirements apply to all components of nonfederal systems and organizations that process, store, or transmit CUI, or that provide security protection for such components. The requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.
Control families covered in this publication:
- Access Control
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Maintenance
- Media Protection
- Personnel Security
- Physical and Environmental Protection
- System and Communications Protection
- System and Information Integrity
Key Updates in Revision 3
Expanded Control Families
Revision 3 includes additional and revised controls to address emerging threats:
- Enhanced Access Controls: Strengthened measures for verifying user identities and managing access permissions.
- Improved Audit and Accountability: Enhanced logging and monitoring requirements to detect and respond to security incidents.
- Advanced System and Communications Protection: New controls to secure communications and system operations against sophisticated threats.
New Control Families
- Supply Chain Risk Management: Controls to address risks associated with third-party providers.
- Cybersecurity Hygiene: Requirements for regular updates and patches to maintain system security.
Emphasis on Risk-Based Approach
- Tailored Implementation: Organizations are encouraged to tailor the security requirements based on their specific risk environment.
- Continuous Monitoring: Regular assessments and monitoring to adapt to evolving threats.
Implementation Tiers
Align security measures with specific implementation tiers:
- Tier 1: Basic implementation of enhanced security measures.
- Tier 2: Intermediate implementation with additional controls and protections.
- Tier 3: Advanced implementation with comprehensive and robust security measures.
Commitment to Compliance
American Digital Services is committed to maintaining the highest standards of security for protecting CUI. By adhering to the guidelines set forth in NIST SP 800-171 Revision 3, we ensure the integrity, confidentiality, and availability of critical information.