I was looking at the NIST 800-171 profile for Controlled Unclassified Information (CUI) and it looks like all it does is derive from the OSPP profile. While I'm sure this profile covers at least what's needed for CUI, inheriting the whole OSPP profile seems like *way* overkill and the OSPP profile itself describes NIST 800-171 as a subset. Should the nist-800-171 profile have more rules disabled or is it really that close of an overlap that the only difference is the inactivity timeout?
---------- Chuck Atkins Staff R&D Engineer, Scientific Computing Kitware, Inc.
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
