Home » Insights » Updated Requirements: What NIST 800-171 Revision 3 Means for Government Contractors

Updated Requirements: What NIST 800-171 Revision 3 Means for Government Contractors

05 June, 2023
Updated Requirements: What NIST 800-171 Revision 3 Means for Government Contractors

Key Details: The National Institute of Standards and Technology (NIST) released a draft Revision 3 for Special Publication (SP) 800-171 on May 10, 2023. SP 800-171 provides the foundation for the requirements related to protecting controlled unclassified information (CUI). Though Revision 3 is still in draft form, businesses are encouraged to begin reviewing and considering necessary modifications related to CUI safeguarding. Additionally, NIST is seeking public comments, with the comment period closing July 14, 2023. Interested parties are encouraged to review the draft of Revision 3 to prepare for any upcoming changes and submit comments.  


Background on SP 800-171 and CUI 

NIST SP 800-171 is a publication that requires any organizations that processes or stores CUI on behalf of the U.S. Government to be compliant with a set of cybersecurity standards. These standards outline the security requirements and practices non-federal organizations must comply with and specifically focuses on protecting CUI.  

CUI is defined as information owned or created by the government that is considered sensitive but not classified. Examples of CUI include patents or information regarding the acquisition of goods and services.  


What does Revision 3 Entail?  

Significant changes under Revision 3 include the following:  

  1. Security requirement and families updates to align with updates in NIST SP 800-53, Revision 5 and NIST SP 800-53B moderate control baseline. 
  2. Updated tailoring criteria. 
  3. Removing ambiguity and increasing specificity for security requirements to improve implementation effectiveness and the clarity of the scope of assessments. 
  4. Increase flexibility and risk management through the introduction of organization-defined parameters (ODP) in selected security requirements. 
  5. CUI overlay prototype.  

Next Steps 

Government contractors are encouraged to take the following steps to ensure compliance with NIST SP 800-171 and the upcoming CMMC 2.0 requirements. For further information and expertise, contact Ryan & Wetmore today.  

  1. Contractors should assess their compliance with NIST SP 800-171 Revision 2. Revision 3 brings about further security updates. 
  2. Assess requirements under CMMC 2.0 and implement the necessary controls required to maintain compliance. 
  3. Ensure adequate policies and procedures are in place regarding cybersecurity, health and infrastructure. 
  4. Consider adding the 61 controls related to the CMMC assessment objectives. 

Cybersecurity maintenance is a key component of success in the government contracting marketplace. Contractors are encouraged to take the necessary steps to implement and improve controls to ensure compliance with current contracts and competitiveness on future contracts.  


Today’s Thought Leaders


About Peter Ryan
Partner, Co-founder, & CPA

Peter T. Ryan co-founded Ryan & Wetmore in 1988 with business partner Michael J. Wetmore. Peter provides clients with the best strategies for success. His expertise extends across various industries. Peter obtained a Master of Business Administration in Finance from the University of Baltimore and a Bachelor of Arts in Accounting from the Catholic University of America.

Read Pete’s full bio.



About Rosie Cheng
Finance Consultant

Rosie Cheng is a Finance Consultant at Ryan & Wetmore. She focuses on government contracting services and produces many of the firm’s government contracting newsletters. Rosie graduated from Georgetown University with a Master of Science in Management and from William and Mary with a Bachelor of Business Administration.