What Is NIST SP 800-171 Rev 2?

NIST SP 800-171 Rev 2 refers to the Second Revision (Rev 2) of National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171):

NIST SP 800-171 was first published in 2015 and the current version (Rev3) was released in May 2024. This NIST publication is focused on the protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations (e.g., defense contractors). NIST SP 800-171 provides US federal agencies (including the US Department of Defense (DoD)) with recommended cybersecurity requirements to protect the confidentiality and integrity of CUI in nonfederal systems and organizations.

NOTE: While NIST SP 800-171 Rev 3 is the current version of NIST SP 800-171, the DoD issued a class deviation in May 2024 for DFARS Clause 252.204-7012 to indefinitely require DoD contractors to comply with NIST SP 800-171 Rev 2. DFARS Clause 252.204-7012 mandates defense contactors to

The Office of Management and Budget (OMB) requires organizations to adopt the most current version of NIST publications one year after its the new version's public release. From a NIST 800-171 perspective, this means NIST 800-171 Rev 3 is expected to be required in contracts no later than May 2025, at which time NIST 800-171 Rev 2 is deprecated (outdated). Per OMB in CIRCULAR NO. A-130"For legacy information systems, agencies are expected to meet the requirements of, and be in compliance with, NIST standards and guidelines within one year of their respective publication dates unless otherwise directed by OMB. The one-year compliance date for revisions to NIST publications applies only to new or updated material in the publications. For information systems under development or for legacy systems undergoing significant changes, agencies are expected to meet the requirements of, and be in compliance with, NIST standards and guidelines immediately upon deployment of the systems."

Who Needs To Comply With NIST SP 800-171 Rev 2?

An organization that stores, processes and/or transmits CUI as part of a contract with the US government is required to comply with NIST SP 800-171. Examples of these organizations that may store, process and/or transmit CUI as part of a contract include, but are not limited to:

What Is The Source of NIST SP 800-171 Rev 2 Requirements?

The requirements in NIST SP 800-171 Rev 2 are based on the 32 CFR Part 2002 and are derived from:

NIST determined the requirements in NIST SP 800-171 Rev 2 provide the necessary protection for federal information and systems that are covered under the Federal Information Security Modernization Act (FISMA). NIST applied tailoring criteria from FIPS 200 requirements for NIST SP 800-53 Rev 4 controls to come up with four (4) types of requirements, listed in Appendix E of NIST SP 800-171 Rev 2:

  1. NCO;
  2. FED;
  3. NFO; and
  4. CUI.

What Are NCO Requirements?

NCO requirements are not directly related to protecting the confidentiality of CUI. NCO requirements are not mandatory to be implemented to comply with NIST SP 800-171 Rev 2.

What Are FED Requirements?

FED requirements are “uniquely federal” and primarily the responsibility of the US federal government. FED requirements are not mandatory to be implemented to comply with NIST SP 800-171 Rev 2.

What Are NFO Requirements?

NFO requirements are expected to be routinely satisfied by Non-Federal Organizations (NFOs) without specification. NFO requirements must be implemented to comply with NIST SP 800-171 Rev 2.

What Are CUI Requirements?

CUI requirements protect the confidentiality and/or integrity of assets that store, process and/or transmit CUI. CUI requirements must be implemented to comply with NIST SP 800-171 Rev 2.

Are NIST SP 800-171 Requirements Considered “Best Practices” For Cybersecurity?

No. NIST SP 800-171 requirements are not “best practices” and are better described as reasonable cybersecurity practices to protect sensitive and/or regulated data. NIST SP 800-171 Rev 2 only protects against unauthorized disclosure and modification of CUI. It does not contain security controls that are considered “best practices” in cybersecurity.

Is NIST SP 800-171 Rev 2 A Contractual Obligation?

Yes. Organizations must implement NIST SP 800-171 Rev 2 requirements as part of a contractual obligation with the US Government. Contractors (including subcontractors) that store, process and/or transmit CUI must comply with NIST SP 800-171.

What Is The Scope of NIST SP 800-171 Rev 2 Compliance?

From the Abstract section in NIST SP 800-171 Rev 2 that defines the scope of NIST SP 800-171 Rev 2 compliance efforts, requirements “apply to all components of nonfederal systems and organizations that process, store, and/or transmit CUI, or that provide protection for such components.” The requirements in NIST SP 800-171 Rev 2 are intended to be used by US federal agencies in contractual vehicles or other agreements between those agencies and nonfederal organizations (e.g., contractors).

While NIST does not provide additional scoping guidance for NIST SP 800-171 Rev 2, the DoD provides scoping for CMMC Level 2 environments. Additionally, ComplianceForge’s Unified Scoping Guide (USG) provides scoping guidance for CUI and other types of sensitive/regulated data.

What Is Controlled Unclassified Information (CUI)?

According to the US National Archives (NARA) that runs the US Government’s CUI Program, CUI is broadly defined as “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act.”

In the context of cybersecurity, one of the more common forms of CUI is Controlled Technical Information (CTI) that broadly includes:

Is Controlled Unclassified Information (CUI) Classified?

No. While CUI is sensitive information, it is not classified. CUI replaces For Official Use Only (FOUO) to protect unclassified, yet sensitive, data to prevent adverse national security and economic consequences.

Executive Orders (EO) 12356 and 13526 established the foundation for what "classified" data is, while EO 13556 established the foundation for CUI.

There are two (2) types of Unclassified data from the US Government's perspective:

  1. Controlled Unclassified Information (CUI):
    1. CUI Basic; and
    2. CUI Specified.
  2. Uncontrolled Unclassified Information (UUI):
    1. General UUI (not publicly released or FCI);
    2. Federal Contract Information (FCI); and
    3. Information that has been cleared for public release.

There are three (3) types of Classified data from the US Government's perspective:

  1. Confidential;
  2. Secret; and
  3. Top Secret.

What Are The NIST SP 800-171 Rev 2 Requirements Use To Protect CUI?

While NIST SP 800-171 Rev 2 contains 110 requirements, the are 320 Assessment Objectives (AOs) in NIST SP 800-171A that must be used to evaluate the requirements from NIST SP 800-171 R2. The requirement to use NIST SP 800-171A AOs was first defined by NARA’s Information Security Oversight Office (ISOO) in 2020 with CUI Notice 2020-04.

NIST SP 800-171 Rev 2 organizes the requirements according to 14families. The requirements in NIST SP 800-171 Rev 2 all have a “3.X” prefix due to the requirements being in Chapter 3 of NIST SP 800-171.

The NIST SP 800-171 Rev 2 families are:

3.1 Access Control

This family of NIST SP 800-171 Rev 2 requirements focuses on logical access control. There are 22 unique access control requirements that are focused on protecting CUI.

3.2 Awareness and Training

This family of NIST SP 800-171 Rev 2 requirements focuses on end user training, specifically for personnel who handle CUI or administer technologies that support and/or protect CUI.  There are 3 unique awareness and training requirements that are focused on protecting CUI.

3.3 Audit and Accountability

This family of NIST SP 800-171 Rev 2 requirements focuses on technology-related event logging to maintain situational awareness of the CUI environment.  There are 9 unique audit and accountability requirements that are focused on protecting CUI.

3.4 Configuration Management

This family of NIST SP 800-171 Rev 2 requirements focuses on technology-related configuration management practices to secure the CUI environment.  There are 9 unique configuration management requirements that are focused on protecting CUI.

3.5 Identification and Authentication

This family of NIST SP 800-171 Rev 2 requirements focuses on technology-related Identity and Access Management (IAM) practices to securely limit access to only those people and processes with a legitimate business need.  There are 11 unique identification and authentication requirements that are focused on protecting CUI.

3.6 Incident Response

This family of NIST SP 800-171 Rev 2 requirements focuses on incident response practices associated with the CUI environment.  There are 3 unique incident response requirements that are focused on protecting CUI.

3.7 Maintenance

This family of NIST SP 800-171 Rev 2 requirements focuses on technology-related maintenance activities within CUI environment.  There are 6 unique maintenance requirements that are focused on protecting CUI.

3.8 Media Protection

This family of NIST SP 800-171 Rev 2 requirements focuses on technology-related media protection and handling practices.  There are 9 unique media protection requirements that are focused on protecting CUI.

3.9 Personnel Security

This family of NIST SP 800-171 Rev 2 requirements focuses on personnel-related management practices to ensure only necessary individuals have access to the CUI environment.  There are 2 unique personnel security requirements that are focused on protecting CUI.

3.10 Physical Protection

This family of NIST SP 800-171 Rev 2 requirements focuses on physical security-related practices to physically secure the CUI environment.  There are 6 unique physical protection requirements that are focused on protecting CUI.

3.11 Risk Assessment

This family of NIST SP 800-171 Rev 2 requirements focuses on risk management practices associated with the CUI environment.  There are 3 unique risk assessment requirements that are focused on protecting CUI.

3.12 Security Assessment

This family of NIST SP 800-171 Rev 2 requirements focuses on System Development Lifecycle (SDLC) practices to ensure the security of the CUI environment as technologies and processes change and evolve.  There are 4 unique security assessment requirements that are focused on protecting CUI.

3.13 System and Communications Protection

This family of NIST SP 800-171 Rev 2 requirements focuses on technology-related network security aspects of the CUI environment.  There are 16 unique system and communication protection requirements that are focused on protecting CUI.

3.14 System and Information Integrity

This family of NIST SP 800-171 Rev 2 requirements focuses on technology-related event monitoring to maintain situational awareness of the CUI environment.  There are 7 unique system and information integrity requirements that are focused on protecting CUI.

What Does It Mean To Comply With NIST SP 800-171 Rev 2?

Only the DoD has a third-party assessment methodology in place to provide conformity assessments for NIST SP 800-171 Rev 2, which is the Cybersecurity Maturity Model Certification (CMMC).

For non-DoD contactors, compliance with NIST SP 800-171 Rev 2 is “on the honor system” similar to compliance with HIPAA, PCI DSS, GDPR and other common compliance obligations that organizations must comply with. However, willful non-compliance with NIST SP 800-171 Rev 2 could be a False Claims Act (FCA) violation and the US Department of Justice (DOJ) is taking FCA violations seriously.

There are no products listed under this category.

!