NIST 800-171 Revision 3: Updated Requirements for CUI Protection

NIST 800-171 Revision 3 is released. Learn about the most significant changes introduced through the NIST updates.

On May 10, 2023, the National Institute of Standards and Technology (NIST) released an Initial Public Draft of Revision 3 to NIST Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The publication serves as a baseline for cybersecurity compliance and CUI protection for federal contractors and subcontractors. 

NIST 800-171 Background

NIST SP 800-171 represents a foundational set of security requirements for safeguarding Controlled Unclassified Information (CUI) – sensitive information, which necessitates specific controls for confidentiality, access, and dissemination. The NIST requirements apply to nonfederal system components that handle, store, or transmit CUI, or that provide protection for such components. The requirements outlined in NIST SP 800-171 are typically enforced through contractual arrangements or agreements between federal agencies and nonfederal organizations. Outside of government agreements, businesses may also adopt or rely upon the cybersecurity compliance standards outlined in NIST SP 800-171. The requirements of SP 800-171 are derived from Federal Information Processing Standards (“FIPS”) 199, FIPS 200, and NIST SP 800-53

The NIST SP 800-171 evolves around a subset of controls necessary for safeguarding CUI. Under Revision 2, 14 control families were present; but with Revision 3, they are organized into 17 control families, as follows (The last three control families with an asterisk (*) have been added with Revision 3):

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Configuration Management
  • Identification and Authentication
  • Incident Response
  • Maintainance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Risk Assessment 
  • Security Assessment and Monitoring
  • System and Communications Protection
  • System and Information Integrity
  • Planning*
  • System and Service Acquisition*
  • Supply Chain Risk Management* 

Section 3 of NIST SP 800-171 describes applicable requirements for each of these control families, including numerous subcategories of requirements within each family. One of the proposed changes with Revision 3 is the addition of Organization-Defined Parameters (ODP), which allow for additional flexibility for federal agencies by permitting them to set specific values for defined parameters. Once specified, these ODP become part of the requirement.

Changes Introduced Through NIST SP 800-171 Revision 3

In Revision 3, NIST has proposed several significant changes from the prior version of the publication. The updates are designed to streamline and clarify requirements. Below, we highlight some of the most consequential modifications:

The updated NIST SP 800-171 introduces several notable changes compared to the previous version. These changes aim to simplify and provide clearer guidance on the requirements. Let’s explore some of the key modifications that have significant implications.

No distinction between basic and derived security requirements

NIST has proposed to eliminate the distinction between basic security requirements (FIPS 200) and derived requirements (NIST SP 800-53). NIST SP 800-171 previously required compliance with both basic and derived controls. Now it proposes to abide by the derived controls. This shift stems from NIST’s acknowledgment that the requirements in FIPS 200 lack sufficient specificity to be useful for governmental contractors.

In addition, NIST has proposed to remove outdated and redundant requirements while also adding some new ones.  Thus, the number of security controls remained almost the same.

More specific security requirements

NIST has proposed to increase the detailing of security requirements as a response to the numerous feedback that previous requirements were too open to interpretation. The new detailed security requirements are aimed at improving the implementation effectiveness and clarifying the assessment’s scope of assessments. On one hand, the specificity in security controls has the potential to increase the compliance burden for organizations, as it reduces the flexibility in implementing measures to protect CUI. However, on the other hand, this move can also have a positive impact by clarifying the security requirements, making compliance easier to achieve.

Reflecting the recent changes in NIST SP 800-53 and SP 800‑53B

In response to feedback that organizations are overwhelmed by the number of security and risk management frameworks, the updated NIST 800-171 requirements now are better aligned with NIST SP 800-53, Revision 5, and NIST SP 800-53B. To facilitate the harmonization of requirements, NIST has provided a Prototype CUI Overlay, which shows how the moderate control baseline in NIST SP 800-53B can be tailored to align with the NIST SP 800-171 security requirements.

Introduction of ODP

One more important thing is the inclusion of Organizational Discretionary Parameters (ODPs) for specific security requirements. Currently, ODPs are already incorporated in NIST SP 800-53, allowing government agencies to customize security requirements according to their operational needs. In a similar vein, NIST is now suggesting the introduction of ODPs to NIST SP 800-171, granting federal agencies the flexibility to tailor requirements for safeguarding CUI. These ODPs would be defined within NIST SP 800-171 through parameters assigned by the respective agencies. 

What’s Next?

Public comments on the NIST 800-171 Revision 3 should be submitted by July 14, 2023. As for now, NIST is specifically interested in feedback related to re-categorized controls, ODP, and the Prototype CUI Overlay. 

In the meantime, it is essential for federal contractors and other entities subject to NIST SP 800-171 to carefully examine the revised draft and relevant resources. The covered organizations should be ready to adjust their security controls and systems once the updated publication is officially adopted. It is advisable to pay special attention to the three newly introduced control families and their corresponding requirements. This proactive approach will help ensure compliance with the forthcoming changes and maintain the security of their systems and data. 

In terms of timing, contractors should bear in mind that Revision 3 generally will not require regulatory changes and may be implemented through contract modifications. For example, the applicable Defense Federal Acquisition Regulation Supplement (“DFARS”) clause requires compliance with the version of NIST SP 800-171 “in effect at the time the solicitation is issued or as authorized by the Contracting Officer.” 

To stay updated on recent cybersecurity and compliance-related topics, keep reading our blog. Feel free to contact the Planet 9 team for help with your security and compliance challenges. We’ll be happy to assist!



Phone:  888-437-3646

Leave a Reply