Nist 800-171 Revision 3: Updated Requirements for CUI Protection

NIST published the final version of Special Publication (SP) 800-171. Learn what the changes introduced through NIST 800-171 Revision 3Updated on May 2024.

The National Institute of Standards and Technology (NIST) developed the NIST 800-171 to set guidelines and security requirements for protecting Controlled Unclassified Information (CUI). NIST first published the framework in June 2015 and has since revised it several times, most recently in November 2023. 

The standard defines how contractors must protect CUI in nonfederal systems. The current enforceable version is NIST 800-171 Revision 2, published in February 2020, which remains the baseline for DoD cybersecurity programs, including CMMC Level 2 assessments. 

Although Revision 3 was released in May 2024, it is not yet mandatory for contractors. It will only become enforceable after federal agencies formally update contract clauses and regulatory requirements, with a transition period expected to allow organizations time to align their security controls.

NIST’s latest revision, known as NIST 800-171 Revision 3, includes significant updates to the publication’s control families, security controls, tailoring criteria, and organization-defined parameters (ODPs). Revision 3 notably requires organizations to comply with stringent third-party risk management requirements, including implementing risk assessment workflows, continuous monitoring, and additional supply chain risk management strategies. 

Learn what your organization needs to do to comply with  NIST 800-171, and discover how Planet 9 can help you on your journey to becoming NIST compliant.

What is NIST 800-171

NIST SP 800-171 serves as a foundational set of security requirements for DoD contractors to safeguard CUI. It defines the minimum cybersecurity controls organizations must implement to reduce the risk of data exposure, misuse, or loss. In practical terms, it sets a clear baseline for protecting sensitive government data and maintaining eligibility for federal contracts.

The main attributes of NIST 800-171 include:

• Focuses on protecting CUI in nonfederal systems and organizations;
• Provides federal agencies with baseline strategies to safeguard the confidentiality of CUI
• Covers 1 control families across topics such as access control, identification, and authentication‍
• Often compared to the Cybersecurity Maturity Model Certification (CMMC)

NIST requirements apply to non-federal system components that handle, store, or transmit CUI or provide protection for such components. The requirements outlined in NIST SP 800-171 are typically enforced through contractual agreements between federal agencies (e.g., DoD) and nonfederal organizations (contractors).

While contractors who handle CUI are not required to implement Revision 3 for now ( as per class deviation to DFARS 252.204-7012), it is expected that the Department of Defense will eventually make it obligatory to follow by incorporating Revision 3 into both DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 7012) as well as the forthcoming Cyber Maturity Model Certification (CMMC) program. 

Let’s dive deeper into the NIST 800-171 Revision 3 updates. 

NIST 800-171 Revision 3 vs Revision 2: what changed, and why it matters

NIST SP 800-171 Revision 2 and Revision 3 share the same goal: protecting CUI in nonfederal systems. However, they differ in structure and how clearly requirements are defined for assessment. For US defense contractors, the distinction matters because Revision 2 remains the baseline for most DoD-aligned programs today, while Revision 3 reflects NIST’s updated approach and is expected to become the future reference once federal contracting requirements transition. The comparison below highlights the most practical changes teams should understand for compliance planning, documentation, and audit readiness.

NIST SP 800-171 Rev. 2, published in February 2020, remains the current baseline for most Department of Defense (DoD) contractors and is the foundation of today’s CMMC Level 2 requirements. It includes 110 requirements across 14 control families and is derived from selected NIST SP 800-53 controls. However, some requirements allow broader interpretation, which can lead to inconsistencies during assessments.

NIST SP 800-171 Rev. 3, released in May 2024, introduces structural and clarity improvements. It reduces the total number of requirements to 97 while expanding to 17 control families and aligning more explicitly with NIST SP 800-53. Rev. 3 also introduces organization-defined parameters (ODPs), allowing agencies or organizations to specify certain control values. Its more precise language is designed to reduce ambiguity and improve assessment consistency. Rev. 3 will become mandatory only after federal agencies, such as the DoD, update their contract requirements and regulatory frameworks.

No more distinction between basic and derived requirements 

NIST 800-171 Revision 3 has eliminated the distinction between basic security requirements (derived from Federal Information Processing Standards (FIPS) 200) and derived requirements (from NIST SP 800-53). Revision 3  requirements were reworked using 800-53 as “the single authoritative source” in an effort to make the requirements clearer and more specific. 

More specific security requirements

With Revision 3, NIST 800-171, security requirements have been detailed in response to feedback that previous requirements were too open to interpretation. The new detailed security requirements aim to improve implementation effectiveness and clarify the scope of the assessment.

For example, the modifier “periodically” was used in contractor requirements throughout SP 800-171, Revision 2 (e.g., Control 3.12.4 requires contractors to “develop, document, and periodically update system security plans…”). Now, it requires reviewing and updating the system security plan at an organization-defined frequency. 

Introduction of Organization-Defined Parameters (ODPs)

NIST 800-171 Revision 3 includes organization-defined parameters (ODPs) for specific security requirements. The ODPs provide federal agencies with flexibility by allowing them to specify values for designated parameters (time period, circumstances, conditions, frequency, functions, and/or roles) within those security controls to safeguard controlled unclassified information (CUI). See Appendix D of the NSIT 800-171 for more details.

Reflecting on the recent changes in NIST SP 800-53 and SP 800‑53B

In response to feedback that organizations are overwhelmed by the number of security and risk management frameworks, the updated NIST 800-171 requirements are now better aligned with NIST SP 800-53, rev. 5, and NIST SP 800-53B. To facilitate harmonization of requirements, NIST has provided a Prototype CUI Overlay that shows how the moderate control baseline in NIST SP 800-53B can be tailored to align withNIST SP 800-171 security requirements.

NIST 800-171 Rev. 3 control families

Compared to the Rev. 2 2, NIST 800-171 Rev. 3 evolves around 17 controls necessary for safeguarding CUI. The controls are organized as follows (The last three control families with an asterisk (*) have been added with Revision 3):

Access controls : the largest control family focuses on ensuring only authorized users can access systems and CUI. Organizations must manage user accounts, limit privileges to what is strictly necessary, secure remote and mobile access, and control how sensitive data moves within systems.

Awareness and training: organizations must ensure personnel understand cybersecurity risks and their responsibilities. This includes ongoing security awareness and role-based training to reduce risks from insider threats, social engineering, and human error.

Audit and accountability: these controls ensure user activity is traceable. Organizations must log and review system actions, investigate anomalies, and generate audit records that support monitoring, incident investigation, and compliance evidence.

Configuration management: systems must operate in a controlled and documented state. Organizations are required to limit unauthorized software, track system changes, and ensure systems are configured to provide only essential functionality.

Identification and authentication: before granting access, systems must reliably verify users and devices. This includes strong authentication methods such as MFA, secure credential management, and timely credential updates after risk events.

Incident response: Organizations must be prepared to detect, respond to, and recover from security incidents. This includes maintaining an incident response plan, documenting incidents, testing response capabilities, and training staff on response procedures.

Maintenance: system maintenance activities must be controlled and monitored. This includes approving maintenance actions, securing remote maintenance, and preventing malicious code from being introduced during servicing.

Media protection: CUI stored on physical or digital media must be protected throughout its lifecycle. Organizations must control access, securely store and transport media, and sanitize it before disposal or reuse.

Personnel security: personnel changes must be managed carefully. Organizations must verify individuals, enforce security agreements, and promptly adjust access during hiring, role changes, or offboarding.

Physical protection: physical access to systems and facilities must be restricted. Organizations must limit entry to authorized individuals and maintain records of physical access activity.

Risk assessment: organizations must regularly assess CUI risks and identify vulnerabilities that could lead to unauthorized disclosure, ensuring these risks are documented and addressed.

Security assessment: security controls must be continuously evaluated. This includes maintaining remediation plans (POA&Ms) and implementing ongoing monitoring to confirm controls remain effective.

System and communications protection: These controls focus on securing data in transit and at system boundaries. Organizations must segment networks, use encryption, and block unauthorized communications by default.

System and information integrity: organizations must detect and remediate vulnerabilities quickly. This includes monitoring for malicious activity, scanning systems and files, and keeping protective mechanisms up to date.

Planning*: addresses the development and maintenance of policies, procedures, and rules.  It also requires developing and maintaining a system security plan (SSP).

System and service acquisition: security must be considered throughout system development and procurement. Organizations must address risks tied to unsupported components and plan for secure system changes.

Supply chain risk management: organizations must manage cybersecurity risks introduced by vendors and suppliers. This includes maintaining a supply chain risk plan, protecting it from disclosure, and using procurement practices that reduce exposure.

Not sure how to approach your NIST SP 800-171 Rev. 3 assessment or prepare for upcoming CMMC requirements? Working with experienced compliance experts can help you evaluate your current security posture, identify gaps, and define a practical remediation plan. CMMC readiness services support you in aligning your controls with federal expectations, improving protection of Controlled Unclassified Information (CUI), and progressing toward compliance in a structured and efficient way.