- NIST SP 800-171 Rev 3 (May 2024) is the current version. OMB requires adoption within one year, making R2 deprecated by May 2025.
- While CUI controls dropped from 110 to 97, discrete requirements increased 260% (to 287) and Assessment Objectives increased 59% (from 320 to 510).
- All 61 NFO controls were absorbed into the CUI control set, increasing governance burden on contractors.
- The heaviest lifts are NFO-to-CUI migration (more governance) and implementing an operational C-SCRM Plan with evidence.
- DoD issued a class deviation maintaining R2 for DFARS indefinitely, but R3 will be the standard for new contracts going forward.
What Is NIST SP 800-171 Rev 3?
NIST SP 800-171 Rev 2 is focused on the protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations (e.g., defense contractors). NIST SP 800-171 provides US federal agencies (including the US Department of Defense (DoD)) with recommended cybersecurity requirements to protect the confidentiality and integrity of CUI in nonfederal systems and organizations. NIST SP 800-171 was first published in 2015 and the current version (Rev3) was released in May 2024.
NIST SP 800-171 is designed to require contractors to adhere with reasonably-expected security requirements that have been in use by the US government for years. NIST 800-171 establishes a basic set of expectations and maps these requirements to NIST 800-53, which is the de facto standard for US government cybersecurity controls. NIST 800-171 creates a standardized and uniform set of requirements for all Controlled Unclassified Information (CUI) security needs. This is designed to address common deficiencies in managing and protecting unclassified information by that is being stored, transmitted or processed by private businesses.
While NIST SP 800-171 Rev 3 is the current version of NIST SP 800-171, the DoD issued a class deviation in May 2024 for DFARS Clause 252.204-7012 to indefinitely require DoD contractors to comply with NIST SP 800-171 Rev 2. DFARS Clause 252.204-7012 mandates defense contactors to:
- Safeguard CUI;
- Report cyber incidents; and
- Comply with NIST SP 800-171.
Why Do You Need To Upgrade?
The Office of Management and Budget (OMB) requires organizations to adopt the most current version of NIST publications one year after its the new version's public release. From a NIST 800-171 perspective, this means NIST 800-171 Rev 3 is expected to be required in contracts no later than May 2025, at which time NIST 800-171 Rev 2 is deprecated (outdated).
Per OMB in CIRCULAR NO. A-130: "For legacy information systems, agencies are expected to meet the requirements of, and be in compliance with, NIST standards and guidelines within one year of their respective publication dates unless otherwise directed by OMB. The one-year compliance date for revisions to NIST publications applies only to new or updated material in the publications. For information systems under development or for legacy systems undergoing significant changes, agencies are expected to meet the requirements of, and be in compliance with, NIST standards and guidelines immediately upon deployment of the systems."
Who Needs To Comply With NIST SP 800-171 Rev 3?
An organization that stores, processes and/or transmits CUI as part of a contract with the US government is required to comply with NIST SP 800-171. Examples of these organizations that may store, process and/or transmit CUI as part of a contract include, but are not limited to:
What Is The Source of NIST SP 800-171 Rev 3 Requirements?
The requirements in NIST SP 800-171 Rev 2 are based on the 32 CFR Part 2002 and are derived from:
- Federal Information Processing Standards (FIPS) Publication 200 (FIPS 200); and
- The moderate security control baseline in NIST SP 800-53 Rev 5.
NIST determined the requirements in NIST SP 800-171 Rev 3 provide the necessary protection for federal information and systems that are covered under the Federal Information Security Modernization Act (FISMA). NIST applied tailoring criteria from FIPS 200 requirements for NIST SP 800-53 Rev 5 controls to come up with five (5) types of requirements, listed in Appendix C of NIST SP 800-171 Rev 3:
NCO Controls
What Are NCO Requirements? NCO requirements are not directly related to protecting the confidentiality of CUI. NCO requirements are not mandatory to be implemented to comply with NIST SP 800-171 Rev 2.
FED Controls
What Are FED Requirements? FED requirements are “uniquely federal” and primarily the responsibility of the US federal government. FED requirements are not mandatory to be implemented to comply with NIST SP 800-171 Rev 2.
ORC Controls
What Are ORC Requirements? ORC requirements are based on NIST SP 800-53 R4 security controls to provide a comprehensive set of security capabilities needed to protect organizational systems and support the concept of defense in depth. Some of the security controls may address similar or overlapping security topics that are covered by other related controls. These controls have been designated as ORC in the tailoring criteria. ORC requirements are not mandatory to be implemented to comply with NIST SP 800-171 Rev 3.
CUI Controls
What Are CUI Requirements? CUI requirements protect the confidentiality and/or integrity of assets that store, process and/or transmit CUI. CUI requirements must be implemented to comply with NIST SP 800-171 Rev 2.
Non-Federal Organization (NFO) requirements were removed from NIST SP 800-171 Rev 3
What Are The NIST SP 800-171 Rev 3 Requirements Use To Protect CUI?
While NIST SP 800-171 Rev 3 contains 97 core requirements, the total number of discrete requirements is 297. As for Assessment Objectives (AOs) in NIST SP 800-171A Rev 3, there are 510 AOs that must be used to evaluate the requirements from NIST SP 800-171 R3. The requirement to use NIST SP 800-171A AOs was first defined by NARA’s Information Security Oversight Office (ISOO) in 2020 with CUI Notice 2020-04.
NIST SP 800-171 Rev 3 organizes the requirements according to 17 families. The requirements in NIST SP 800-171 Rev 3 all have a “3.X” prefix due to the requirements being in Chapter 3 of NIST SP 800-171.
The NIST SP 800-171 Rev 3 families are:
3.1 Access Control
This family of NIST SP 800-171 Rev 3 requirements focuses on logical access control.
3.2 Awareness & Training
This family of NIST SP 800-171 Rev 3 requirements focuses on end user training, specifically for personnel who handle CUI or administer technologies that support and/or protect CUI.
3.3 Audit & Accountability
This family of NIST SP 800-171 Rev 3 requirements focuses on technology-related event logging to maintain situational awareness of the CUI environment.
3.4 Configuration Management
This family of NIST SP 800-171 Rev 3 requirements focuses on technology-related configuration management practices to secure the CUI environment.
3.5 Identification & Authentication
This family of NIST SP 800-171 Rev 3 requirements focuses on technology-related Identity and Access Management (IAM) practices to securely limit access to only those people and processes with a legitimate business need.
3.6 Incident Response
This family of NIST SP 800-171 Rev 3 requirements focuses on incident response practices associated with the CUI environment.
3.7 Maintenance
This family of NIST SP 800-171 Rev 3 requirements focuses on technology-related maintenance activities within CUI environment.
3.8 Media Protection
This family of NIST SP 800-171 Rev 3 requirements focuses on technology-related media protection and handling practices.
3.9 Personnel Security
This family of NIST SP 800-171 Rev 3 requirements focuses on personnel-related management practices to ensure only necessary individuals have access to the CUI environment.
3.10 Physical Protection
This family of NIST SP 800-171 Rev 3 requirements focuses on physical security-related practices to physically secure the CUI environment.
3.11 Risk Assessment
This family of NIST SP 800-171 Rev 3 requirements focuses on risk management practices associated with the CUI environment.
3.12 Security Assessment
This family of NIST SP 800-171 Rev 3 requirements focuses on System Development Lifecycle (SDLC) practices to ensure the security of the CUI environment as technologies and processes change and evolve.
3.13 System & Communications
This family of NIST SP 800-171 Rev 3 requirements focuses on technology-related network security aspects of the CUI environment.
3.14 System & Information Integrity
This family of NIST SP 800-171 Rev 3 requirements focuses on technology-related event monitoring to maintain situational awareness of the CUI environment.
3.15 Planning
This family of NIST SP 800-171 Rev 3 requirements focuses on the organization’s strategic plans to govern cybersecurity risks and threats to protect the CUI environment.
3.16 System and Services Acquisition
This family of NIST SP 800-171 Rev 3 requirements focuses on technology-related development and acquisition processes to maintain the confidentiality and integrity of the CUI environment.
3.17 Supply Chain Risk Management
This family of NIST SP 800-171 Rev 3 requirements focuses on Cybersecurity Supply Chain Risk Management (C-SCRM)-related practices to operationalize concepts from NIST SP 800-161 Rev 1 to protect the CUI environment.
What Are The Penalties For Non-Compliance With NIST 800-171 Rev 3?
Non-compliance with NIST SP 800-171 Rev 2 could be a False Claims Act (FCA) violation and the US Department of Justice (DOJ) is taking FCA violations seriously. Additional penalties for non-compliance with NIST 800-171 Rev 2 include, but are not limited to:
Contract Termination
It is reasonably expected that the U.S. Government will terminate contracts with prime contractors over non-compliance with DFARS / NIST 800-171 requirements since it is a failure to uphold contract requirements. Subcontractor non-compliance will cause a prime contractor to be non-compliant, as a whole.
Criminal Fraud
If a company states it is compliant when it knowingly is not compliant, that is misrepresentation of material facts. This is a criminal act that is defined as any act intended to deceive through a false representation of some fact, resulting in the legal detriment of the person who relies upon the false information (e.g., False Claims Act).
Breach of Contract Lawsuits
Both prime contractors and subcontractors could be exposed legally. A tort is a civil breach committed against another in which the injured party can sue for damages. The likely scenario for a DFARS / NIST 800-171-related tort would be around negligence on behalf of the accused party by not maintaining a specific code of conduct (e.g., DFARS / NIST 800-171 cybersecurity controls).
As you can see from those examples, the cost of non-compliance is quite significant. As always, seek competent legal counsel for any pertinent questions on your specific compliance obligations.
How Do I Upgrade To NIST 800-171 R3?
Sooner, rather than later, the US Government's global supply chain will have to transition to NIST 800-171 R3. ComplianceForge provides a free resource for organizations migrating from NIST 800-171 R2 to R3. This guide provides an Assessment Objective (AO)-level analysis to address differences:
- Over 1/3 are minimal effort (clear, direct mapping);
- Approximately 1/5 are moderate effort (indirect mapping); and
- Approximately 1/2 are significant effort (no clear mapping or new AOs).
This guide also addresses the logical dependencies that exist from "orphaned AOs" that are not in NIST 800-171A R3, but a requirement to demonstrate evidence of due diligence and due care still exists for specific functions (e.g., maintenance operations, roles & responsibilities, inventories, physical security, etc.).
What Problem Does ComplianceForge's NIST SP 800-171 Rev 3 Documentation Solve?
We sell cybersecurity documentation - policies, standards, procedures and more! Our documentation is meant to help companies become audit-ready!
How Does ComplianceForge Help Me Comply With NIST SP 800-171 Rev 3?
We take a holistic approach to creating comprehensive cybersecurity documentation that is both scalable and affordable. This is beyond just generic policies and allows you to build out an audit-ready cybersecurity program for your organization!
Editable NIST 800-171 Policies, Standards, Procedures Templates
ComplianceForge’s NIST 800-171 / CMMC documentation has been used successfully by multiple companies during DIBCAC assessments to efficiently and effectively generate the necessary artifact documentation to demonstrate compliance with NIST SP 800-171 controls and NIST SP 800-171A control objectives. This battle tested documentation includes the necessary policies, standards, procedures, SSP, POA&M, Incident Response Plan (IRP) and other documentation that are expected to exist to successfully pass a third-party assessment, be it DIBCAC or a C3PAO.
The "NIST 800-171 in a nutshell" graphic show below helps depict NIST 800-171 R3 requirements from Peope, Process, Technology, Data and Facility (PPTDF) perspective. This can help better visualize what the various requirements are (e.g., administrative, technical solutions, configurations, etc.). You can download the PDF version here and you can read more about the concept of PPTDF here.
NIST 800-171 Documentation Done Right - Scalable, Comprehensive & Efficient
ComplianceForge is an industry leader in NIST 800-171 compliance. We specialize in cybersecurity compliance documentation and our products include the policies, standards, procedures and POA&M/SSP templates that companies (small, medium and large) need to comply with NIST 800-171. We've been writing cybersecurity documentation since 2005 and we've been writing documentation specific to NIST 800-171 since 2016. We are here to help make NIST 800-171 compliance as easy and as affordable as possible!
Complying with NIST SP 800-171 & CMMC can be hard enough without arguing over terminology. Terminology pertaining to cybersecurity documentation is often abused, so a simplified concept of the hierarchical nature of cybersecurity documentation is needed to demonstrate the unique nature of these components, as well as the dependencies that exist. ComplianceForge created a reference model that is designed to encourage clear communication by defining cybersecurity documentation components and how those are linked. This model is based on industry-recognized terminology from NIST, ISO, ISACA and AICPA to addresses the inter-connectivity of policies, control objectives, standards, guidelines, controls, assessment objectives, risks, threats, procedures & metrics. This also addresses what SSPs, POA&Ms and secure configurations are and how those integrate into an organization's existing cybersecurity documentation.
We leverage the Hierarchical Cybersecurity Governance Framework to develop the necessary documentation components that are key to being able to demonstrate evidence of due diligence and due care for our clients. This methodology towards documentation acknowledges the interconnectivity that exists between policies, control objectives, standards, guidelines, controls, risks, procedures & metrics. Essentially, ComplianceForge simplified the concept of the hierarchical nature of cybersecurity and privacy documentation that you can see in the downloadable diagram shown below. This helps demonstrate the unique nature of these components, as well as the dependencies that exist. You can download the example to better understand how we write our documentation that links policies all the way down to metrics. This is a great solution for any organization currently using or migrating to a Governance, Risk & Compliance (GRC) or Integrated Risk Management (IRM) platform to help automate their governance practices. Click on the image below to download the PDF:
As a quick summary of your requirements to comply with NIST 800-171, you are expected to have several different "documentation artifacts" to prove that your cybersecurity program exists. The reality with compliance assessments is that if something is not documented, you cannot prove it exists. Given that reality, you need to ensure your company has the proper cybersecurity documentation in place:
- Cybersecurity policies, standards & procedures;
- System Security Plan (SSP) (requirement #3.12.4); and
- Plan of Action & Milestones (POA&M) (requirements #3.12.1, 3.12.2, 3.12.3 & 3.12.4).
