NIST 800-53 REV 5 • PROGRAM MANAGEMENT
PM-17 — Protecting Controlled Unclassified Information on External Systems
Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards; and Review and update the policy and procedures {{ insert: param, pm-17_prm_1 }}.
Supplemental Guidance
Controlled unclassified information is defined by the National Archives and Records Administration along with the safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002](#91f992fb-f668-4c91-a50f-0f05b95ccee3) and, specifically for systems external to the federal organization, [32 CFR 2002.14h](https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/xml/CFR-2017-title32-vol6-part2002.xml) . The policy prescribes the specific use and conditions to be implemented in accordance with organizational procedures, including via its contracting processes.
Practitioner Notes
When your CUI or other controlled information is processed on external systems — contractor laptops, cloud services, partner networks — you need policies and controls to protect it even though you do not own those systems.
Example 1: Include CUI protection clauses in all contracts and service agreements. Require subcontractors to meet NIST 800-171 requirements and provide evidence of compliance before granting them access to your controlled information.
Example 2: In Microsoft 365, use Sensitivity Labels to mark CUI documents. Configure Data Loss Prevention (DLP) policies that prevent labeled documents from being shared externally without encryption. This protects CUI even when it travels outside your direct control to partner organizations.