- NIST SP 800-172 Rev 3 (May 2026) contains "enhanced security requirements" to protect Controlled Unclassified Information (CUI).
- Contains 103 core requirements and an overall total of 164 unique requirements (including sub-requirements), not including Assessment Objectives (AOs) from NIST SP 800-172A Rev 3.
- Requirements are derived from NIST SP 800-53 R5 but exceed what is found in the High Baseline from NIST SP 800-53B Rev 5.
- These requirements are designed to protect High Value Assets (HVAs) that are at risk from Advanced Persistent Threats (APTs).
What Is NIST SP 800-172 Rev 3?
NIST SP 800-171 Rev 2 is focused on the protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations (e.g., defense contractors). NIST SP 800-171 provides US federal agencies (including the US Department of Defense (DoD)) with recommended cybersecurity requirements to protect the confidentiality and integrity of CUI in nonfederal systems and organizations. NIST SP 800-171 was first published in 2015 and the current version (Rev3) was released in May 2024.
NIST SP 800-171 is designed to require contractors to adhere with reasonably-expected security requirements that have been in use by the US government for years. NIST 800-171 establishes a basic set of expectations and maps these requirements to NIST 800-53, which is the de facto standard for US government cybersecurity controls. NIST 800-171 creates a standardized and uniform set of requirements for all Controlled Unclassified Information (CUI) security needs. This is designed to address common deficiencies in managing and protecting unclassified information by that is being stored, transmitted or processed by private businesses.
Who Needs To Comply With NIST SP 800-172 Rev 3?
An organization that stores, processes and/or transmits CUI as part of a contract with the US government is required to comply with NIST SP 800-171. Examples of these organizations that may store, process and/or transmit CUI as part of a contract include, but are not limited to:
What Are The Penalties For Non-Compliance With NIST 800-171 Rev 2?
Non-compliance with NIST SP 800-171 Rev 2 could be a False Claims Act (FCA) violation and the US Department of Justice (DOJ) is taking FCA violations seriously. Additional penalties for non-compliance with NIST 800-171 Rev 2 include, but are not limited to:
Contract Termination
It is reasonably expected that the U.S. Government will terminate contracts with prime contractors over non-compliance with DFARS / NIST 800-171 requirements since it is a failure to uphold contract requirements. Subcontractor non-compliance will cause a prime contractor to be non-compliant, as a whole.
Criminal Fraud
If a company states it is compliant when it knowingly is not compliant, that is misrepresentation of material facts. This is a criminal act that is defined as any act intended to deceive through a false representation of some fact, resulting in the legal detriment of the person who relies upon the false information (e.g., False Claims Act).
Breach of Contract Lawsuits
Both prime contractors and subcontractors could be exposed legally. A tort is a civil breach committed against another in which the injured party can sue for damages. The likely scenario for a DFARS / NIST 800-171-related tort would be around negligence on behalf of the accused party by not maintaining a specific code of conduct (e.g., DFARS / NIST 800-171 cybersecurity controls).
As you can see from those examples, the cost of non-compliance is quite significant. As always, seek competent legal counsel for any pertinent questions on your specific compliance obligations.
How Does ComplianceForge Help Me Comply With NIST SP 800-172 Rev 3?
We take a holistic approach to creating comprehensive cybersecurity documentation that is both scalable and affordable. This is beyond just generic policies and allows you to build out an audit-ready cybersecurity program for your organization!
Editable NIST 800-172 Policies, Standards, Procedures Templates
ComplianceForge’s NIST 800-171 / CMMC documentation has been used successfully by multiple companies during DIBCAC assessments to efficiently and effectively generate the necessary artifact documentation to demonstrate compliance with NIST SP 800-171 controls and NIST SP 800-171A control objectives. This battle tested documentation includes the necessary policies, standards, procedures, SSP, POA&M, Incident Response Plan (IRP) and other documentation that are expected to exist to successfully pass a third-party assessment, be it DIBCAC or a C3PAO.
The "NIST 800-171 in a nutshell" graphic show below helps depict NIST 800-171 R3 requirements from Peope, Process, Technology, Data and Facility (PPTDF) perspective. This can help better visualize what the various requirements are (e.g., administrative, technical solutions, configurations, etc.). You can download the PDF version here and you can read more about the concept of PPTDF here.
