Will the security requirements in the catalog be available in different data formats?

After NIST SP 800-171, Revision 3 is issued as a final publication, NIST will update the security requirements in CPRT and include CSV and JSON files that can be derived from CPRT. The CUI overlay will be published in Excel format.

Why did NIST remove the mapping of the NIST SP 800-53security controls to the ISO 27001 security controls?

The mapping table in NIST SP 800-171, Revision 3 will focus exclusively on the NIST SP 800-53 security controls, which is the authoritative source for the security requirements. NIST is currently updating the mapping of the NIST SP 800-53, Revision 5 controls to the ISO/IEC 27001:2022 controls and will issue the update by fall 2023.

Are there special provisions for small and mid-size organizations that are required to implement the security requirements?

The CUI federal regulation requires federal agencies that use federal information systems to process, store, or transmit CUI to comply with NIST standards and guidelines. The responsibility of federal agencies to protect CUI does not change when the information is shared with nonfederal organizations. Therefore, a similar level of protection is needed when CUI is processed, stored, or transmitted by nonfederal organizations using nonfederal systems, irrespective of the organization’s size. NIST is responsible for developing and publishing the security requirements for the protection of CUI. The application and implementation of the requirements and any compliance issues related to the content of NIST SP 800-171 are the responsibility of the federal agency that has a relationship with a nonfederal organization, as expressed in a specific contract or agreement

‍