CUI Frequently Asked Questions

On this page:

Index to All Frequently Asked Questions Pages

General CUI Questions

What is CUI?

CUI stands for “Controlled Unclassified Information,” which is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies. It is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. (https://www.archives.gov/cui/about)

To top of page

Is CUI a new requirement?

Not really. Various laws enacted by Congress, regulations issued by agencies, and other policies that apply government-wide have specifically designated certain types of unclassified information as requiring, or being eligible for, special protection by agencies to ensure the information is not made available to those who do not need it or who otherwise should not have access to it. Safeguards Information, defined in section 147 of the Atomic Energy Act of 1954, as amended, is one example of information that requires protective measures to control and limit access.

Over time, agencies developed their own names and requirements for protecting information they were responsible for designating or handling. Prior to the government-wide implementation of CUI, identical information held by two agencies might have different requirements for marking and protecting the information. The goal of CUI is to standardize the control of sensitive unclassified information across the government.

To top of page

What requires the CUI program?

Executive Order 13556 "Controlled Unclassified Information" (the Order), establishes a program for managing CUI across the Executive branch and designates the National Archives and Records Administration (NARA) as Executive Agent to implement the Order and oversee Federal executive branch agency actions to ensure compliance.

In response to the Executive Order, 32 CFR Part 2002 "Controlled Unclassified Information" was issued by NARA’s Information Security Oversight Office (ISOO) to establish policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the Program. The rule directly applies to Federal executive branch agencies that handle CUI, and indirectly applies to all non-executive branch entities (i.e., NRC licensees, Agreement State regulators, State liaison officers, Tribes, vendors, owners’ groups, etc.) that handle, possess, use, share, or receive CUI or which operate, use, or have access to Federal information and information systems on behalf of an agency. (https://www.archives.gov/cui/about)

To top of page

What’s the difference between the NRC SUNSI program and CUI?

CUI will replace the NRC’s current Sensitive Unclassified Non-Safeguards Information (SUNSI) program. CUI will include Safeguards Information (SGI) and other categories of unclassified information that were not included in SUNSI but that nonetheless require protection, or are permitted to be protected, under law, regulation, or government-wide policy.

To top of page

How will the NRC implement CUI?

For NRC employees and contractors, the NRC published Management Directive 12.6, NRC Controlled Unclassified Information Program.

To top of page

When does the NRC plan to implement CUI?

The NRC’s plans to transition to CUI on September 20, 2022, have been delayed to further support the NRC’s readiness and to minimize burden to NRC staff and external stakeholders, where practicable. Once a new CUI transition date is established, the NRC’s CUI public website will be updated to communicate the agencies transition date to CUI. The NRC will make every effort to communicate a new transition date in advance, to keep external stakeholders informed.

To top of page

How does CUI affect NRC licensees/NRC stakeholders?

The CUI Rule applies only to Executive branch agencies that designate or handle information that qualify as CUI. The CUI Rule does not apply directly to non-Executive branch entities (i.e., NRC licensees, Agreement State regulators, State liaison officers, applicants, vendors, owners’ groups, etc.). However, the CUI Rule states that before sharing CUI with a non-Executive branch entity, agencies should enter into written agreements, whenever feasible, that require the entity to handle CUI in accordance with the CUI Rule. Thus, when non-Executive branch entities receive CUI from a government agency or create/store CUI on a government agency’s behalf, the CUI Rule applies indirectly to the non-Executive branch entities through incorporation through these contracts or agreements established between the two parties.

To top of page

How do I know if I have CUI in my organization?

You’ll know when you receive CUI because it will be marked by the NRC as CUI. In addition, you’ll know if you are creating CUI on behalf of the NRC because you will do so pursuant to a contract or other formal written agreement.

To top of page

How does CUI affect the NRC and its employees?

NRC employees who work with SUNSI will see the most changes to their procedures for handling, marking, protecting, destroying, and disseminating information. This is because CUI will replace the current measures that the NRC now uses under SUNSI. For example, PII will now have to be destroyed via special shredders that comply with the CUI rule requirements for destruction of CUI.

To top of page

How does CUI affect NRC contractors?

For contractor employees working within NRC facilities and within NRC information systems, and handling CUI, the NRC will implement contract clauses that mirror Management Directive 12.6, thereby translating them into contractual requirements. This will be completed using FAR regulations or local clauses to complement the FAR clause(s), should the NRC determine that the FAR regulation does not provide enough detail for Agency-specific situations.

For NRC contractors handling CUI under their NRC contracts outside of NRC facilities and outside of NRC information systems, the NRC will implement clauses that translate the NARA CUI guidelines and Management Directive 12.5, “NRC Cybersecurity Program,” requirements relating to CUI cybersecurity into contractual requirements. This will be completed using FAR regulations or local clauses to complement the FAR clause(s), should the NRC determine that the FAR regulation does not provide enough detail for NRC-specific situations.

To top of page

What is meant by taking possession of CUI?

When the NRC originates and designates information as CUI and shares with an entity outside the agency, the agency will provide individuals enough information to ensure the proper protection of controlled unclassified information in their possession and control, including actions to be taken if such information is discovered unsecured, a security vulnerability is noted, or the individual believes a person has been seeking unauthorized access to such information.

To top of page

What types of CUI may the NRC be sharing with external stakeholders?

As examples, the types of CUI that the NRC typically handle include general business proprietary information, export controlled, safeguards information, security-related information, and criterial energy infrastructure information. There may be other CUI categories depending upon the type of information handled by the NRC staff. The types of CUI that the NRC expects to share with a non-Executive branch entity, will be included in the NRC’s CUI information-sharing agreement.

To top of page

What resource(s) are currently available for external business partners to share CUI and collaborate with the NRC?

NRC currently shares and collaborates with external partners using BOX. Box is FEDRAMP certified at the moderate level, which makes it an 800-171 compliant system.

Box is NOT approved for sharing, storing, or transmitting any of the following information:

  • Any information that NRC has categorized at the high impact level (e.g., information pertaining to the physical security of NRC headquarters);
  • Safeguards Information (SGI);
  • Classified Information.

To top of page

Will the NRC provide CUI training?

Yes. CUI regulations specify general awareness training for all NRC employees, contractors, and specialized training for NRC employees who work with CUI Specified categories. NARA provides online CUI training resources for a widespread audience.

Where can I learn more about CUI?

General information about the history and control of CUI can be found at the NARA website.

Information about CUI at the NRC can be found on the NRC’s Public Website.

Who do I contact for questions about the NRC’s CUI program?

For questions or assistance related to the NRC’s CUI program, please email cui@nrc.gov.

To top of page

NRC CUI Information-Sharing Agreements

What does the CUI rule mean by establishing an agreement before sharing CUI?

Per the CUI Rule, all Executive-branch agencies, including the NRC, are required to establish a formal information-sharing agreement with non-Executive branch entities to ensure the protection of CUI. The NRC is in the process of finalizing an information-sharing agreement that has already been shared during NRC CUI public meetings. The agreement will also be formally reviewed by OMB and made publicly available for comment, through the Paperwork Reduction Act process.

To top of page

Can CUI that I receive from the NRC be shared with a third party?

If the written agreement specifies that third-party sharing is not permitted, then the recipient would need to abide by any limited dissemination markings that are included in the CUI banner. If no limited dissemination markings are included in the CUI banner, then the recipient would be able to share CUI they receive with a third party for a lawful purpose. The recipient does not need to establish a written agreement with the third party, but any CUI protections associated with the information must be shared with the third party to ensure that it remains protected.

To top of page

CUI Markings

What changes are going to be made to the current markings under the NRC’s SUNSI program?

The NRC will discontinue the use of OUO markings used under the NRC’s SUNSI program and replace those markings with CUI markings, as defined in the NARA CUI Registry.

To top of page

Do I have to mark my own documents with CUI-compliant markings before submitting to the NRC?

No. Non-Executive branch entities are not required to use CUI-compliant markings (unless the entity is generating CUI documents on behalf of the government pursuant to a contract, in which case the contract will specify the markings to be applied). Documents are only designated as CUI when they come into the possession of an Executive branch entity. Therefore documents generated by a non-Executive branch entity that are not submitted to the government are not considered CUI and do not have to be marked as such. Markings that are otherwise required by law, regulation, or government-wide policy must still be applied consistent with those authorities (e.g. safeguards). For examples, non-Executive branch entities are still required to apply the markings required by 10 CFR 2.390, “Public inspections, exemptions, requests for withholding” when they submit documents to the NRC pursuant to that regulation. Non-Executive branch entities are also still required to apply the markings required by 10 CFR Part 73, “Physical Protection of Plants and Materials,” for safeguards information.

To top of page

Will I have to remark previous SUNSI documents with CUI markings?

No, unless the NRC’s information-sharing agreement specifies that the recipient remark paper documents. The NRC does not anticipate that non-Executive branch entities will need to remark paper documents that qualify as CUI.

To top of page

Do I have to mark and handle my own information as CUI?

If the information that the originator submits is not developed for or on behalf of the government, the originator does not have to treat it as CUI because it’s their information. The NRC is required to handle the information as CUI. Any NRC documents that integrate the information that qualifies as CUI, will be marked as CUI by the NRC, and transmitted as CUI to the recipient. However, if the information is owned by the non-Executive entity, they do not have to handle their own information as CUI.

To top of page

Is the NRC considering portion marking CUI?

Yes. Some types of CUI generated by the NRC will require portion marking, not all. In addition, the NRC’s CUI policy, in MD 12.6, recommends that staff separate CUI into an enclosure so that it is not commingled with other information that may be contained in NRC safety evaluations, inspection reports, etc.

To top of page

Criminal History Records Information Questions

When the NRC transitions to CUI, will any existing protocols related to the transmission of criminal history records data (e.g., CHC and RAP reports generated by the Federal Bureau of Investigation) change?

The NRC will continue to serve as a liaison between licensees and the Federal Bureau of Investigation (FBI) and will not make any changes in the transmittal process for these criminal history records until the FBI implements its CUI program. When the FBI transitions to CUI, the FBI will apply the CUI banner marking for Criminal History Records Information (CUI/SP-CHRI) in the header and footer of the documents that transmit criminal history record data. The NRC does not anticipate any delays in licensees receiving criminal history records from the FBI, through the NRC, as a result of the NRC’s implementation of the CUI program. Licensees will continue to receive these records from the NRC in either a hardcopy or electronic format that permits licensees to maintain a system of files for the protection of the record and the personal information from unauthorized disclosure. Licensees’ ability to download or print the information is unchanged. Licensees must continue to protect such information in accordance with Title 10 Code of Federal Regulations (10 CFR) 73.57(f), “Protection of information” or 10 CFR 37.31, “Protection of information” as applicable.”

The FBI criminal history record check applies to several different types of NRC licensees, including:

  • Each licensee authorized to operate a nuclear power reactor under 10 CFR Part 50, “Domestic Licensing of Production and Utilization Facilities,” and 10 CFR Part 52, “Licenses, Certifications, and Approvals for Nuclear Power Plants,” for those individuals who have or will have unescorted access to nuclear power plants, non-power production or utilization facilities, or access to Safeguards Information (SGI); or
  • Each licensee required by 10 CFR 73.57(g), “Fingerprinting requirements for unescorted access for non-power reactors,” and NRC Order EA-07-074, “Issuance of Order Imposing Fingerprinting and Criminal History Record Check Requirements for Unescorted Access to Research and Test Reactors,” for non-power reactor licensees who have individuals who wish to be an NRC-approved reviewing official; or
  • Each licensee subject to 10 CFR Part 37, “Physical Protection of Category 1 and Category 2 Quantities of Radioactive Material” for those individuals who have or will have unescorted access to category 1 or category 2 quantities of radioactive material or to the devices that contain the material.”

To top of page

Safeguards Information (SGI) Questions

Will SGI become CUI?

Yes, SGI is a category of CUI because it is unclassified information for which there are specific controls required by federal law and NRC regulations. Safeguards Information is considered “CUI Specified” under 32 CFR Part 2002, and as such, all NRC requirements governing the protection of SGI in 10 CFR Part 73 remain in effect. The NRC will be applying CUI-compliant markings to SGI (in addition to, and not commingled with, the SGI markings already required by NRC regulations).

To top of page

Do I have to apply any unique markings for SGI when I send to NRC?

No. The marking requirements for SGI in 10 CFR Part 73 are not superseded by the CUI Rule. All persons must continue to apply these required markings as required by 10 CFR Part 73. NRC staff will also be applying CUI-compliant markings to any SGI that it handles internally or shares with external stakeholders.

To top of page

Freedom of Information Act (FOIA) Questions

How will FOIA requests change under CUI?

The CUI Rule has no effect on how agencies respond to FOIA requests. The CUI Rule does not create any new exemptions to FOIA allowing agencies to withhold information from the public. The CUI Rule establishes uniform requirements governing the handling of unclassified information within the federal government. If a document that qualifies as CUI is requested by a member of the public under the FOIA, it may only be withheld from public disclosure if it also qualifies for withholding under one of FOIA’s exemptions.

To top of page

NRC CUI Inspections

Is the NRC going to conduct CUI inspections?

Unless an unusual circumstance or cybersecurity event warrants NRC action, the NRC does not plan to inspect or audit non-Executive branch entities.

To top of page

NIST SP 800-171 Questions

What is NIST SP 800-171?

The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 was published in June 2015 to provide requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) in nonfederal information systems and organizations. It was jointly developed by NARA, NIST, and Department of Defense (DoD) to alleviate some of the potential impact of such requirements on non-Executive branch entities and to define security requirements for protecting CUI in non-Federal information systems and organizations.

It was specifically developed to be used:

  1. when the CUI is resident in non-Federal information systems and organizations;
  2. when the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and
  3. where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry.

It was also designed to focus on Federal Information Security Modernization Act (FISMA) 2014 Moderate level security requirements and to help minimize implementing some controls that were geared mostly toward federal agencies. The NIST SP 800-171 was also intended to help non-Executive branch entities, including contractors, to comply with the security requirements using the systems and practices they already have in place, rather than trying to use government-specific approaches. https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final

To top of page

Why should I implement NIST SP 800-171?

The CUI Rule incorporates NIST SP 800-171 by reference to ensure that information that is shared with non-Executive branch entities is protected in non-Federal information systems. The CUI Rule requires agencies through formal information-sharing agreements to require that non-Executive branch entities protect CUI in accordance with the CUI Rule, the CUI Registry, applicable laws, regulations, and government-wide polices, and NIST SP 800-171. The protection of CUI that resides in non-Federal information systems and organizations is of utmost importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations. It is vitally important to protect federal CUI in non-Federal systems – that is, in information systems other than those directly used or operated by or on behalf of a federal agency.

To top of page

Do I have to satisfy NIST SP 800-171?

Although the CUI Rule does not directly impose any requirements on non-Executive branch entities, it can apply indirectly to such entities through formal information-sharing agreements with Executive branch agencies. These information-sharing agreements must, at a minimum, include provisions requiring the non-Executive branch entity to handle CUI received from the agency in accordance with the CUI Rule and report to the agency any non-compliance. In addition, if the non-Executive branch entity’s information systems process or store CUI, the CUI Rule requires agencies to use National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” when establishing security requirements in written agreements to protect CUI’s confidentiality.

To top of page

Is there a current process to follow if I identify a conflict or have questions about NIST SP 800-171?

Yes. Contact NARA’s CUI Executive Agent (EA) below for executive branch-wide questions pertaining to NIST SP 800-171.

CUI Executive Agent
Information Security Oversight Office - Controlled Unclassified Information
National Archives and Records Administration
700 Pennsylvania Ave, N.W., Room 100
Washington, DC 20408-0001
E-mail: cui@nara.gov

Contact NRC for information about NRC’s CUI program at Email: cui@nrc.gov.

To top of page

How do I implement NIST SP 800-171 at my organization?

The following are steps normally taken to implement NIST SP 800-171.

The first step to implementing NIST SP 800-171 is for your organization to conduct an initial assessment to analyze the impact and scope– regardless of whether you or an outside vendor is conducting it. It is usually a three-step process:

  1. Review current business processes.
  2. Evaluate your systems and solutions current state of security.
  3. Analyze network data for CUI.

After you complete your assessment, develop a plan to implement NIST SP 800-171 and mitigate existing gaps between your current system state and the NIST SP 800-171 requirement(s).

You should also decide whether you want to:

  • Manage NIST SP 800-171 implementation and security assessments yourself. This will require in-house expertise of security control requirement.
  • Partner with an independent vendor to outsource your NIST SP 800-171 assessment and implementation process establishment needs.
  • Develop a hybrid of self-management of the data yourself, but outsource the IT system use to process, store, or transmit CUI. A NIST 800-171 compliant Cloud Service Provider (CSP) can be an option and make you compliant if a CSP SAS provider is FEDRAMP certified. In fact, this may be the opportunity you have been waiting for to make the push to SaaS services like Office365, Box and Google G Suite. All have components that are FEDRAMP certified at the moderate level.

Additionally, organizations should also establish responsibilities and efficient processes to achieve sustained NIST SP 800-171 compliance over the long haul. Employing third parties to provide a thorough review of current practices across the entire enterprise can help expedite NIST SP 800-171 implementation and reduce the chance of ambiguity.

Whether the organization decides to manage compliance measures and security assessments themselves or choose a hybrid approach, NIST recommends the following six general steps to implement NIST SP 800-171.

  1. Locating and Identifying: Identify the systems on your network that hold or might hold CUI. These storage locations could include local storage, Network Attached Storage devices, cloud storage, portable hard drives, flash drives. Remove CUI from locations that are not permitted to hold CUI.
  2. Categorize: Categorize your data and separate CUI files from non-CUI files. Use this step to reduce unnecessary duplication of data. Steps 1 and 2 completions can form the foundation that allows for the effective implementation of additional security controls.
  3. Implement Required Controls: Implement the 110 NIST 800-171 controls. The organization is responsible for NIST compliance.
  4. Training: The organization must ensure anyone who has access to their CUI receives training on the fundamentals of information security on a regular basis. In addition, the organization must train individuals on their specific processes and procedures for handling CUI.
  5. Monitor: The organization is responsible for providing assessment and monitoring those who access CUI.
  6. Assessment: Conduct security assessments by examining all systems that may contain CUI. Security assessments must be completed on a regular basis.

To top of page

Can I use systems certified under another organization (ISO, etc.) to satisfy NIST SP 800-171 compliance?

The answer should be driven by a fundamental understanding of what your organization needs to comply with from a statutory, regulatory, and contractual perspective, since that understanding establishes the minimum set of requirements necessary to comply. This understanding makes it easier to determine what you need to focus on for selecting a set of cybersecurity controls that cover the same fundamental building blocks of the 800-171 requirement.

It would be best to crosswalk the NIST SP 800-171 controls with the other cybersecurity framework used to show your compliance with the implementation requirement.

To top of page

What type of help is available for non-Executive branch entities working on NIST SP 800-171 compliance?

Free resources are available, such as NIST SP 800-171A, “Assessing Security Requirements for Controlled Unclassified Information.” There are also companies that provide cybersecurity service to assist companies to be compliant with NIST SP 800-171.

To top of page

How Do NIST 800-171 Security Controls Apply to the Cloud?

The basic rules for cloud can be summarized as follows:

  • If the organization is operating its own cloud, it must follow NIST SP 800-171.
  • If the organization is using a third-party cloud service provider (CSP), the CSP must be able to meet the NIST SP 800-171 or the Federal Risk and Authorization Management Program, or FedRAMP Moderate baseline requirement. It would be best if the CSP was FedRAMP certified. However, the organization must be able to demonstrate that it meets either the FedRAMP Moderate baseline or NIST SP 800-171 requirements. It is also critical to implement information security measures as per NIST SP 800-53, as well as FIPS Publication 200, which the NIST SP 800-171 doesn’t highlight. While the latter focuses on the protection of CUI, NARA and NIST expects you to comply with all laws addressing the security of all sensitive data you’re transmitting, storing, or processing, on behalf of a federal agency.
  • The agreement between the organization and CSP should capture the NIST SP 800-171 requirement.
  • If a contractor is operating a cloud-based system on behalf of the government, then the contractor must meet the FedRAMP System Requirement Guidelines and all other requirements for government systems.

To top of page

Will I have to upgrade information system components to be compliant?

This all depends on whether there are known vulnerabilities that cannot be mitigated without upgrading the information system components. You must consider that the significant increase in the complexity of the hardware, software, firmware, and systems within the public and private sectors (including the U.S. critical infrastructure) represents a significant increase in attack surface that can be exploited by adversaries. Therefore, upgrading or modernizing your environment can help to minimize the threat vectors used by adversaries to gain unauthorized access to your environment.

To top of page

By what date must I fully satisfy NIST SP 800-171?

The NRC has not established a date since it would vary, based upon the resources available to each non-Executive branch entity. The general expectation is that when the non-Executive branch entity signs the NRC’s CUI information-sharing agreement, if they intend to download, print, or forward CUI they receive from the NRC, they must meet NIST SP 800-171. At a minimum, a system security plan and plan of action and milestones (e.g., gap analysis) must be in place to download, print, or forward CUI received from the NRC.

To top of page

What security documents are needed to support compliance with NIST SP 800-171?

It is a best practice to have the following documents mentioned above for your system and organization.

  • Your organization’s cybersecurity policies, standards, baseline secure configuration & procedures with identified NIST SP 800-171 controls.
  • System Security Plan (SSP) for the CUI processing environment.
  • Periodic Security Assessment Reports---results from NIST 800-171A type assessment.
  • Plan of Action & Milestones (POA&M) for mitigating vulnerabilities and identified gaps in meeting NIST SP 800-171 requirement.

To top of page

Is there a certification requirement for NIST SP 800-171?

No. The NRC permits non-Executive branch entities to self-certify their compliance to NIST SP 800-171 at this time. Although this is not expected to be common, the NRC may ask that the non-Executive branch entity submit their system security plan and plan of action and milestones for NRC review.

To top of page

Can I procure an NIST SP 800-171 compliant system?

Yes, you can acquire system services for processing CUI that are NIST SP 800-171 compliant. However, keep in mind that compliance with NIST SP 800-171 cannot be achieved by following policy, procedures and/or standards exclusively. To help focus the security procedures within your organization, standards and baselines should also be defined. Standards and baselines are directed at the technology implemented in an organization, whereas policies and procedures focus on guiding behaviors. Organizations should ensure proper technical configurations (Baseline Security settings), hardware and software solution, and Technical, Management/Administrative and Operational controls are implemented within their CUI data processing environment and assess their environment to ensure required security controls are in place.

To top of page

What general process should I follow to meet NIST SP 800-171?

There are several steps that can help you satisfy NIST SP 800-171:

  • Step #1. Seek advice from your federal or state agency. Even if you are not an NRC external partner or contractor, if you provide services to other government agencies, there is a good chance that those agencies will ask you to prove your compliance with NIST SP 800-171. You need to make sure that you fully understand what your federal or state agency expects from you and their deadlines. NRC will notify external partners about expectation and deadlines if any.
  • Step #2. Define CUI as it applies to your organization. Identify where CUI is stored, processed, or transmitted in your network.
  • Step #3. Perform gap analysis. Sub
  • Step #4. Prioritize the requirements of NIST SP 800-171. Use it to plan the actions you need to take.
  • Step #5. Implement changes. Implement changes according to the results of your gap analysis and prioritization.
  • Step #6. Ensure your partners are compliant as well. Even if you have achieved compliance with NIST SP 800-171, that does not mean your partners or subcontractors that you routinely share CUI with are also compliant. You need to make sure that they are familiar with all the requirements and have the necessary controls in place.
  • Step #7. Designate a professional responsible for compliance. NIST SP 800-171 provides general recommendations on how to protect CUI, so you need to designate a person who will be responsible for preparing documentation and evidence of how your organization is protecting CUI, as well as engaging your IT team and management in the compliance process. Another good practice is to hire a consultant who provides advisory and assessment services to help you meet your NIST SP 800-171 needs.

To top of page

How much will it cost me to satisfy NIST SP 800-171?

This will depend on the size of your system and the approach taken.

To top of page

Is there any federal or state tax incentive for meeting NIST SP 800-171?

No. The NRC is not aware of any tax incentives.

To top of page

Do I have to implement NIST SP 800-171 if the NRC transmits CUI in hard copy to me?

No. Although you do not have to meet NIST SP 800-171, you still have to ensure that CUI provided to you in hard copy format (e.g., paper) is protected at your organization, consistent with the CUI Rule, the NARA CUI Registry, and the information-sharing agreement.

To top of page

Do I have to implement NIST SP 800-171 if the NRC provides an alternative (i.e., portal, etc..) for me to view CUI in a “read-only” mode?

No. If you only need to view the CUI document and have not downloaded, printed, or otherwise stored onto a non-Federal information system then you do not have to implement NIST SP 800-171. The NRC is aware that many of its stakeholders would not be able to satisfy the requirements of NIST SP 800-171 given the burden. Therefore, the NRC is evaluating technology that will permit the non-Executive branch entity to access CUI in “view only” mode, thus preventing the non-Executive branch entity from downloading, printing, or forwarding CUI received from the NRC. Additional dialogue on the NRC’s progress will be communicated via NRC public forums and other agency communication tools.

To top of page

Will I be able to receive CUI from the NRC if I am not in compliance with NIST SP 800-171?

Yes. The NRC is still evaluating technology that will permit you to access CUI in “view only” mode and/or the NRC can share CUI in hard copy format.

To top of page

CUI Mishandling Questions

Are there penalties for mishandling CUI?

32 CFR Part 2002 says that if there are specified sanctions in statute, regulation, or government-wide policy applicable to mishandling of the information in question, those sanctions would continue to apply. The CUI Rule also allows for agency heads to exercise any authority they may have to take administrative action against agency personnel who misuse CUI, although the CUI Rule does not itself create new authority for agency heads in this regard.

To top of page

Do I have to report if there is a CUI breach?

Yes. The NRC’s CUI information-sharing agreement specifies that any breach needs to be reported to the NRC CUI Senior Agency Official, along with other details.

To top of page

Who do I report a cybersecurity incident to if the information system processing CUI gets compromised?

First, let’s first define computer security incident. A computer security incident within the U.S. Federal Government is defined by National Cybersecurity and Communications Integration Center’s (NCCIC) and the U.S. National Institute of Standards and Technology as a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. According to NIST SP 800-171 section 3.6, the Incident Response family of security requirements focuses on establishing an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response.

Additionally, the NIST guide on cybersecurity Computer Security Incident Handling, SP 800-61 states, “organizations must create, provision, and operate a formal incident response capability.” In other words, you must first, develop a viable incident response strategy that enables you to promptly respond to any incident that could result in a data breach or system downtime.

The best recommendation here is to implement capabilities to detect, analyze and respond to security incidents; report on these incidents to appropriate officials; and test your incident response plan regularly. The agreement and contract that non-Executive branch entities have with the NRC or other federal agencies will identify requirement of where CUI incidents should be reported. For instance, DoD contractors report cyber incidents in accordance with the DFARS Clause 252.204-7012. To simply put, non-Executive branch entities should report in accordance with other reporting requirements identified in a contract or other agreement.

To top of page

Page Last Reviewed/Updated Monday, August 08, 2022