The letter, jointly authored by the Council on Governmental Relations (COGR) and the Association of American Universities (AAU), addresses the National Institute of Standards and Technology (NIST) regarding the revised draft of Special Publication 800-171, which establishes guidelines for protecting controlled unclassified information (CUI) on nonfederal information systems. The associations commend NIST for addressing previous concerns, particularly regarding the exclusion of federally funded research from explicit requirements and clarifying the distinction between federal and nonfederal systems. They also note improvements that allow organizations to isolate CUI for cost-effective compliance and appreciate recognition of alternate security measures.
However, COGR and AAU express ongoing concerns about the potential rigidity of the 800-171 standards, cautioning that without clear emphasis on flexibility, compliance could become overly prescriptive, especially once federal acquisition regulations (FAR) reference the document. They highlight the challenges universities face due to decentralized IT infrastructures and the significant resource implications of implementing the required security controls. The letter urges NIST to ensure contractors can use alternative means to comply, and emphasizes the need for federal agencies to clearly specify when CUI requirements apply and to allow compliance costs as direct expenses. The associations reiterate their willingness to collaborate with NIST to address these issues in the final publication.
COGR and AAU sent a joint letter regarding the revised draft guidance concerning controlled unclassified information (CUI) to the National Institute of Standards and Technology which was outlined in NIST Special Publication 800-171.
