NIST 800-171 Controlled Unclassified Information (CUI) Controls
NIST and NARA carried out specific tailoring actions to identify the controls that are needed to protect CUI. According to NIST 800-171, there were 3 criteria used to identify what security controls or control enhancements from NIST 800-53 rev4 moderate baseline specifically would be considered a "CUI control" for NIST 800-171. If the following criteria was not applicable, then the NIST 800-53 rev4 control or control enhancement became a CUI control:
-
The control or control enhancement is uniquely federal (i.e., primarily the responsibility of the federal government);
-
The control or control enhancement is not directly related to protecting the confidentiality of CUI;38 or
-
The control or control enhancement is expected to be routinely satisfied by nonfederal organizations without specification.
Interestingly, while there are 110 CUI controls listed in Appendix D of NIST 800-171, there are 125 unique CUI controls listed in Appendix E. The reduction of 15 controls appears to be through the mapping that reduced redundancies. These 125 unique CUI controls, as listed below: