What Is NIST SP 800-171 Rev 3?

NIST SP 800-171 Rev 3 refers to the Third Revision (Rev 3) of National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171):

Publication Title: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
Published Date: May 2024

NIST SP 800-171 was first published in 2015 and the current version (Rev3) was released in May 2024. This NIST publication is focused on the protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations (e.g., defense contractors). NIST SP 800-171 provides US federal agencies (including the US Department of Defense (DoD)) with recommended cybersecurity requirements to protect the confidentiality and integrity of CUI in nonfederal systems and organizations.

While NIST SP 800-171 Rev 3 is the current version of NIST SP 800-171, the DoD issued a class deviation in May 2024 for DFARS Clause 252.204-7012 to indefinitely require DoD contractors to comply with NIST SP 800-171 Rev 2. DFARS Clause 252.204-7012 mandates defense contactors to

Safeguard CUI;
Report cyber incidents; and
Comply with NIST SP 800-171.

Why Do I Need To Upgrade From NIST SP 800-171 Rev 2 To NIST SP 800-171 Rev 3?

The Office of Management and Budget (OMB) requires organizations to adopt the most current version of NIST publications one year after its the new version's public release. From a NIST 800-171 perspective, this means NIST 800-171 Rev 3 is expected to be required in contracts no later than May 2025, at which time NIST 800-171 Rev 2 is deprecated (outdated).

Per OMB in CIRCULAR NO. A-130: "For legacy information systems, agencies are expected to meet the requirements of, and be in compliance with, NIST standards and guidelines within one year of their respective publication dates unless otherwise directed by OMB. The one-year compliance date for revisions to NIST publications applies only to new or updated material in the publications. For information systems under development or for legacy systems undergoing significant changes, agencies are expected to meet the requirements of, and be in compliance with, NIST standards and guidelines immediately upon deployment of the systems."

Who Needs To Comply With NIST SP 800-171 Rev 3?

An organization that stores, processes and/or transmits CUI as part of a contract with the US government is required to comply with NIST SP 800-171 Rev 3. Examples of these organizations that may store, process and/or transmit CUI as part of a contract include, but are not limited to:

Department of Defense (DoD) contractors;
US federal contractors;
Technology companies;
Managed Service Providers (MSPs) / Managed Security Services Providers (MSSP);
Systems integrators (e.g., professional services, consultants, etc.);
Manufacturers;
Higher education (e.g., colleges and universities);
Healthcare providers; and
Research institutions.

What Is The Source of NIST SP 800-171 Rev 3 Requirements?

The requirements in NIST SP 800-171 Rev 3 are based on the 32 CFR Part 2002 and are derived from:

Federal Information Processing Standards (FIPS) Publication 200 (FIPS 200); and
The moderate security control baseline in NIST SP 800-53 Rev 5.

NIST determined the requirements in NIST SP 800-171 Rev 3 provide the necessary protection for federal information and systems that are covered under the Federal Information Security Modernization Act (FISMA). NIST applied tailoring criteria from FIPS 200 requirements for NIST SP 800-53 Rev 5 controls to come up with five (5) types of requirements, listed in Appendix C of NIST SP 800-171 Rev 3:

NCO;
FED;
ORC
N/A; and
CUI.

Note: Non-Federal Organization (NFO) requirements were removed from NIST SP 800-171 Rev 3

What Are NCO Requirements?

NCO requirements are not directly related to protecting the confidentiality of CUI. NCO requirements are not mandatory to be implemented to comply with NIST SP 800-171 Rev 3.

What Are FED Requirements?

FEDrequirements are “uniquely federal” and primarily the responsibility of the US federal government. FED requirements are not mandatory to be implemented to comply with NIST SP 800-171 Rev 3.

What Are ORC Requirements?

ORC requirements are based on NIST SP 800-53 R4 security controls to provide a comprehensive set of security capabilities needed to protect organizational systems and support the concept of defense in depth. Some of the security controls may address similar or overlapping security topics that are covered by other related controls. These controls have been designated as ORC in the tailoring criteria. ORC requirements are not mandatory to be implemented to comply with NIST SP 800-171 Rev 3.

What Are N/A Requirements?

N/A requirements are not applicable to protecting CUI (e.g., Program Management (PM) and PII Processing and Transparency (PT) controls from NIST SP 800-53 R5). N/A requirements are not mandatory to be implemented to comply with NIST SP 800-171 Rev 3.

What Are CUI Requirements?

CUI requirements protect the confidentiality and/or integrity of assets that store, process and/or transmit CUI. CUI requirements must be implemented to comply with NIST SP 800-171 Rev 3.

Are NIST SP 800-171 R3 Requirements Considered “Best Practices” For Cybersecurity?

No. NIST SP 800-171 R3 requirements are not “best practices” and are better described as reasonable cybersecurity practices to protect sensitive and/or regulated data. While NIST SP 800-171 Rev 3 is more comprehensive than NIST SP 800-171 Rev 2, the NIST SP 800-171 publication only protects against unauthorized disclosure and modification of CUI. It does not contain security controls that are considered “best practices” in cybersecurity.

Is NIST SP 800-171 Rev 3 A Contractual Obligation?

Yes. Organizations must implement NIST SP 800-171 Rev 3 requirements as part of a contractual obligation with the US Government. Contractors (including subcontractors) that store, process and/or transmit CUI must comply with NIST SP 800-171. NIST 800-171 Rev 3 is the current version of the NIST SP 800-171 publication.

The OMB requires organizations to adopt the most current version of NIST publications one year after its the new version's public release. From a NIST 800-171 perspective, this means NIST 800-171 Rev 3 is expected to be required in contracts no later than May 2025, at which time NIST 800-171 Rev 2 is deprecated (outdated).

What Is The Scope of NIST SP 800-171 Rev 3 Compliance?

From Section 1.1of NIST SP 800-171 Rev 3 that defines the scope of NIST SP 800-171 Rev 3 compliance efforts, “The security requirements in this publication are only applicable to components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components. System components include workstations, servers, notebook computers, smartphones, tablets, input and output devices, network components, operating systems, virtual machines, database management systems, and applications.” The requirements in NIST SP 800-171 Rev 3 are intended to be used by US federal agencies in contractual vehicles or other agreements between those agencies and nonfederal organizations (e.g., contractors).

While NIST does not provide additional scoping guidance for NIST SP 800-171 Rev 3, the DoD provides scoping for CMMC Level 2 environments. Additionally, ComplianceForge’s Unified Scoping Guide (USG) provides scoping guidance for CUI and other types of sensitive/regulated data. The USG can be useful to help scope NIST SP 800-171 Rev 3, due to the “or that provide protection for such components” addition in the scoping guidance.

What Is Controlled Unclassified Information (CUI)?

According to the US National Archives (NARA) that runs the US Government’s CUI Program, CUI is broadly defined as “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act.”

In the context of cybersecurity, one of the more common forms of CUI is Controlled Technical Information (CTI) that broadly includes:

Research and engineering data;
Engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and
Computer software executable code and source code.

Is Controlled Unclassified Information (CUI) Classified?

No. While CUI is sensitive information, it is not classified. CUI replaces For Official Use Only (FOUO) to protect unclassified, yet sensitive, data to prevent adverse national security and economic consequences.

Executive Orders (EO) 12356 and 13526 established the foundation for what "classified" data is, while EO 13556 established the foundation for CUI.

There are two (2) types of Unclassified data from the US Government's perspective:

Controlled Unclassified Information (CUI):
1. CUI Basic; and
2. CUI Specified.
Uncontrolled Unclassified Information (UUI):
1. General UUI (not publicly released or FCI);
2. Federal Contract Information (FCI); and
3. Information that has been cleared for public release.

There are three (3) types of Classified data from the US Government's perspective:

Confidential;
Secret; and
Top Secret.

What Are The NIST SP 800-171 Rev 3 Requirements Use To Protect CUI?

While NIST SP 800-171 Rev 3 contains 97 core requirements, the total number of discrete requirements is 297. As for Assessment Objectives (AOs) in NIST SP 800-171A Rev 3, there are 510 AOs that must be used to evaluate the requirements from NIST SP 800-171 R3. The requirement to use NIST SP 800-171A AOs was first defined by NARA’s Information Security Oversight Office (ISOO) in 2020 with CUI Notice 2020-04.

NIST SP 800-171 Rev 3 organizes the requirements according to 17 families. The requirements in NIST SP 800-171 Rev 3 all have a “3.X” prefix due to the requirements being in Chapter 3 of NIST SP 800-171.

The NIST SP 800-171 Rev 3 families are:

3.1 Access Control

This family of NIST SP 800-171 Rev 3 requirements focuses on logical access control.

3.2 Awareness and Training

This family of NIST SP 800-171 Rev 3 requirements focuses on end user training, specifically for personnel who handle CUI or administer technologies that support and/or protect CUI.

3.3 Audit and Accountability

This family of NIST SP 800-171 Rev 3 requirements focuses on technology-related event logging to maintain situational awareness of the CUI environment.

3.4 Configuration Management

This family of NIST SP 800-171 Rev 3 requirements focuses on technology-related configuration management practices to secure the CUI environment.

3.5 Identification and Authentication

This family of NIST SP 800-171 Rev 3 requirements focuses on technology-related Identity and Access Management (IAM) practices to securely limit access to only those people and processes with a legitimate business need.

3.6 Incident Response

This family of NIST SP 800-171 Rev 3 requirements focuses on incident response practices associated with the CUI environment.

3.7 Maintenance

This family of NIST SP 800-171 Rev 3 requirements focuses on technology-related maintenance activities within CUI environment.

3.8 Media Protection

This family of NIST SP 800-171 Rev 3 requirements focuses on technology-related media protection and handling practices.

3.9 Personnel Security

This family of NIST SP 800-171 Rev 3 requirements focuses on personnel-related management practices to ensure only necessary individuals have access to the CUI environment.

3.10 Physical Protection

This family of NIST SP 800-171 Rev 3 requirements focuses on physical security-related practices to physically secure the CUI environment.

3.11 Risk Assessment

This family of NIST SP 800-171 Rev 3 requirements focuses on risk management practices associated with the CUI environment.

3.12 Security Assessment and Monitoring

This family of NIST SP 800-171 Rev 3 requirements focuses on System Development Lifecycle (SDLC) practices to ensure the security of the CUI environment as technologies and processes change and evolve.

3.13 System and Communications Protection

This family of NIST SP 800-171 Rev 3 requirements focuses on technology-related network security aspects of the CUI environment.

3.14 System and Information Integrity

This family of NIST SP 800-171 Rev 3 requirements focuses on technology-related event monitoring to maintain situational awareness of the CUI environment.

3.15 Planning

This family of NIST SP 800-171 Rev 3 requirements focuses on the organization’s strategic plans to govern cybersecurity risks and threats to protect the CUI environment.

3.16 System and Services Acquisition

This family of NIST SP 800-171 Rev 3 requirements focuses on technology-related development and acquisition processes to maintain the confidentiality and integrity of the CUI environment.

3.17 Supply Chain Risk Management

This family of NIST SP 800-171 Rev 3 requirements focuses on Cybersecurity Supply Chain Risk Management (C-SCRM)-related practices to operationalize concepts from NIST SP 800-161 Rev 1 to protect the CUI environment.

What Does It Mean To Comply With NIST SP 800-171 Rev 3?

The DoD has a third-party assessment methodology in place to provide conformity assessments for NIST SP 800-171 Rev 2, which is the Cybersecurity Maturity Model Certification (CMMC). Eventually, the DoD will release a “CMMC 3.0” model that provides coverage for NIST SP 800-171 Rev 3.

For non-DoD contactors, compliance with NIST SP 800-171 Rev 3 is “on the honor system” similar to compliance with HIPAA, PCI DSS, GDPR and other common compliance obligations that organizations must comply with. However, willful non-compliance with NIST SP 800-171 Rev 3 could be a False Claims Act (FCA) violation and the US Department of Justice (DOJ) is taking FCA violations seriously.

There are no products listed under this category.