June 7, 2023

Volume XIII, Number 158


June 06, 2023

Subscribe to Latest Legal News and Analysis

June 04, 2023

Subscribe to Latest Legal News and Analysis

NIST Releases Initial Public Draft of NIST SP 800-171, Revision 3 for Protection of Sensitive Government Information

The National Institute of Standards and Technology (NIST) has released an initial public draft of NIST SP 800-171, Revision 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Compliance with the security controls in NIST SP 800-171 is required for Department of Defense contractors and is expected to be incorporated into a new Federal Acquisition Regulation (FAR) clause and required for all federal contractors that process, store, or transmit Controlled Unclassified Information (CUI). 

Updates to Revision 3 were informed by public comments and changes to the security landscape since NIST released Revision 2 in February 2020. Significant changes to NIST SP 800-171, Revision 3 include: 

  • Updates to security requirements and families to reflect changes made in NIST SP 800-53, Rev. 5, Security and Privacy Controls for Information Systems and Organizations. Compliance with the NIST SP 800-53 standard is more rigorous and generally required for federal information systems or contractors operating information systems on behalf of the federal government, to include cloud service providers. Many of the changes in NIST 800-171, Revision 3 align the two sets of standards.

  • Removal of outdated and redundant security requirements.

  • Introduction of organization-defined parameters (ODPs) for select requirements to increase flexibility and help organizations manage risk.

  • Inclusion of a protype CUI overlay that shows how the NIST SP 800-53 moderate control baseline is tailored at the control and subcontrol levels to protect CUI.

NIST also added three new security requirement families (Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR)). Revision 3 now includes a total of 17 security control families. These new families mirror the control families in the NIST SP 800-53 moderate control baseline.

Changes to security controls in NIST SP 800-171, Revision 3 breakdown as follows:

  • 18 requirements with no significant changes

  • 49 requirements with significant changes, which include additional detail or foundational tasks to achieve the requirement

  • 18 requirements with minor changes

  • 26 new requirements added

  • 27 requirements withdrawn (note elements of many of the withdrawn requirements have been incorporated into other requirements)

  • 53 organization-defined parameters added to existing or new requirements

NIST is seeking comments on the draft NIST SP 800-171, Revision 3 by July 14, 2023. In particular, NIST is interested in feedback on the recategorized controls, inclusion of organization-defined parameters, and the prototype CUI overlay. Comments should be submitted to [email protected].

NIST anticipates releasing one more draft version of NIST SP 800-171, Revision 3 before publishing the final version in early 2024.

Copyright © 2023, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XIII, Number 145

About this Author

Townsend Bourne, Government Affairs Attorney, Sheppard Mullin Law FIrm

Ms. Bourne's practice focuses on Government Contracts law and litigation. Her experience includes complex litigation in connection with the False Claims Act, bid protest actions both challenging and defending agency decisions on contract awards before the Government Accountability Office and Court of Federal Claims, claims litigation before the Armed Services Board of Contract Appeals and the Civilian Board of Contract Appeals, investigating and preparing contractor claims, and conducting internal investigations. 

Ms. Bourne advises clients on a...

Lauren Weiss Associate Washington D.C. Sheppard, Mullin, Richter & Hampton LLP

Lauren Weiss is an associate in the Government Contracts, Investigations & International Trade Practice Group in the firm's Washington, D.C. office.

Areas of Practice Lauren’s practice focuses on government contracts litigation, investigations, and counseling matters including the following areas:  Cybersecurity counseling, Internal Investigations, Regulatory compliance,  Bid protests before the U.S. Government Accountability Office, Civil False Claims Act litigation defense, and Transactional due diligence.