In this course, Cybrary’s Kelly Handerhan takes us through the fourteen families of classifications for controlled, unclassified information as defined in the NIST 800-171 standard. This standard, issued by the National Institute of Standards and Technology (NIST), governs the handling of unclassified yet sensitive information on systems in non-federal agencies. It is part of an initiative to reduce the number of unclassified information categories such as “For Official Use Only” (FOUO) and “Sensitive But Unclassified” (SBU). It’s important to keep in mind that just because certain information is unclassified doesn’t mean that it should be freely available to anyone wishing access. It’s still vital that security controls are in place to safeguard such information when it is outside federal infrastructure.
The audience for standard NIST 800-171 is developers involved in the Software Development Life Cycle (SDLC), project managers, those that procure and outsource equipment and services, risk management personnel, and anyone else in an organization that handles controlled, unclassified information (CUI). The fourteen families of classification, also known as “domains” cover the essential security controls governing the safeguarding of CUI. These controls are the very same ones that you’d encounter in other security-focused certification courses such as Security+.
Each domain has a set of requirements known as the “Basic” set. This basic set defines the ultimate goals of the domain. The other set of requirements is known as the “Derived” set and consists of the means to implement the goals set forth in the basic set. As an example, the basic set of requirements for the “Awareness and Training” domain specifies that all users of CUI systems are made aware of the risks and policies regarding the protection of CUI.
The implementation of the goals set forth in the basic requirements is specified in the derived requirements. In the case of “Awareness and Training” the derived requirements specify the need for security awareness training for users along with surveillance to monitor any security breaches directed against CUI. Kelly points out that though all domains have a basic set of requirements, two of them don’t have a corresponding set of derived requirements. Each module in this course discusses a specific domain and its corresponding requirements, both basic and derived, as set forth in the NIST 800-171 publication.