NIST Special Publication SP 800-171

Citation
NIST, (DRAFT) Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication SP 800-171 (Nov. 18, 2014) (full-text).

Overview
The protection of sensitive unclassified federal information while residing in nonfederal information systems and environments of operation is of paramount importance to federal agencies. Compromises of this information can directly impact the ability of the federal government to successfully carry out its designated missions and business operations. This publication provides federal agencies with recommended requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) as defined by Executive Order 13556, when such information resides in nonfederal information systems and organizations. The requirements apply to: The CUI protection requirements were obtained from the security requirements and controls in FIPS Publication 200 and NIST Special Publication 800-53, and then tailored appropriately to eliminate requirements that are: Nonfederal organizations include, for example: federal contractors; state, local, and tribal governments; and colleges and universities.
 * Nonfederal information systems that are beyond the scope of the systems covered by the Federal Information Security Management Act (FISMA); and
 * All components of nonfederal systems that process, store, or transmit CUI.
 * Primarily the responsibility of the federal government (i.e., uniquely federal);
 * Related primarily to availability; or
 * Assumed to be routinely satisfied by nonfederal organizations without any further specification.