The National Institute of Standards and Technology (NIST) has released an initial public draft of NIST SP 800-171, Revision 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Compliance with the security controls in NIST SP 800-171 is required for Department of Defense contractors and is expected to be incorporated into a new Federal Acquisition Regulation (FAR) clause and required for all federal contractors that process, store, or transmit Controlled Unclassified Information (CUI). 

Updates to Revision 3 were informed by public comments and changes to the security landscape since NIST released Revision 2 in February 2020. Significant changes to NIST SP 800-171, Revision 3 include: 

• Updates to security requirements and families to reflect changes made in NIST SP 800-53, Rev. 5, Security and Privacy Controls for Information Systems and Organizations. Compliance with the NIST SP 800-53 standard is more rigorous and generally required for federal information systems or contractors operating information systems on behalf of the federal government, to include cloud service providers. Many of the changes in NIST 800-171, Revision 3 align the two sets of standards.

• Removal of outdated and redundant security requirements.

• Introduction of organization-defined parameters (ODPs) for select requirements to increase flexibility and help organizations manage risk.

• Inclusion of a protype CUI overlay that shows how the NIST SP 800-53 moderate control baseline is tailored at the control and subcontrol levels to protect CUI.

NIST also added three new security requirement families (Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR)). Revision 3 now includes a total of 17 security control families. These new families mirror the control families in the NIST SP 800-53 moderate control baseline.

Changes to security controls in NIST SP 800-171, Revision 3 breakdown as follows:

• 18 requirements with no significant changes

• 49 requirements with significant changes, which include additional detail or foundational tasks to achieve the requirement

• 18 requirements with minor changes

• 26 new requirements added

• 27 requirements withdrawn (note elements of many of the withdrawn requirements have been incorporated into other requirements)

• 53 organization-defined parameters added to existing or new requirements

NIST is seeking comments on the draft NIST SP 800-171, Revision 3 by July 14, 2023. In particular, NIST is interested in feedback on the recategorized controls, inclusion of organization-defined parameters, and the prototype CUI overlay. Comments should be submitted to 800-171comments@list.nist.gov.

NIST anticipates releasing one more draft version of NIST SP 800-171, Revision 3 before publishing the final version in early 2024.