Contact

Updated requirements for Controlled Unclassified Information (CUI)

On May 14th, 2024, the National Institute of Standards and Technology (NIST) released an updated version of NIST Special Publication (SP) 800-171, Revision 3. This publication addresses safeguarding Controlled Unclassified Information (CUI) within nonfederal systems and organizations. The revision introduces several significant changes. For example, the revision consolidates certain security requirements resulting in an overall lower number of security requirements – but in effect actually creates more security requirements than in Revision 2. Second, it adds organization-defined parameters (OPDs) which allow for tailoring and flexibility of controls. But, in an effort to make things simpler, NIST added in a lot of ambiguity with these OPDs. Thankfully, NIST also released NIST SP 800-171a, Rev. 3, Assessing Security Requirements for Controlled Unclassified Information, which will help contractors assess their security posture for CUI. It is highly recommended to review the new requirements of NIST SP 800-171, Rev. 3, while also consulting the 800-171a.

Contractors seeking more information about these changes can refer to the frequently asked questions (FAQ) section and the Change Analysis available on the NIST website.

It’s worth noting that if a contract includes DFARS Clause 252.204-7012—and every contract that involves the DoD and CUI should—contractors are required to adhere to NIST SP 800-171. According to this clause, compliance is expected with the version of NIST SP 800-171 that was in effect at the time of solicitation issuance. This could mean that new contracts are required to follow Revision 3. But, in anticipation of Revision 3, the DoD issued a class deviation—that is a change to the language in the DFARS. This deviation specifies that contractors should continue to comply with the previous version, NIST SP 800-171 Revision 2, until further notice. Further details are available in the associated Press Release.

Consequently, contractors are not immediately required to adopt the changes outlined in Revision 3. However, it’s important to recognize that Revision 3 will eventually become the standard. Therefore, contractors are advised to utilize this transition period to prepare for the eventual implementation of Revision 3. Please contact Jason Moy if you have questions or need legal assistance with these matters.

Related Resources

View All Resources
Published on:

Cordatis prevails in GAO protest alleging an organizational conflict of interest

A Cordatis team consisting of David Cohen and John O'Brien successfully defended Deloitte & Touche's contract award in a bid protest claiming that the Department of Defense failed to investigate and mitigate an alleged organizational conflict of interest.
Published on:

The Court of Federal Claims holds that USAID unlawfully eliminated our client from an $800 million procurement

In a recent decision, the U.S. Court of Federal Claims issued a decision requiring the U.S. Agency for International Development to allow our client--a mentor-protege joint venture--to compete for an $800 million contract.
Published on:

Cordatis protest win snatches victory from the jaws of defeat

A Cordatis team consisting of Daniel Strouse, Pablo Nichols, John O'Brien, Jason Moy, and Rhina Cardenal recently won a post-award protest on behalf of our client ITillity, LLC.

Big Firm Experience – Small Firm Value

Serving the government contracting community since 1979

+1(202)342-2550

Contact Us

1011 Arlington Blvd.
Suite 375
Arlington, VA 22209

tel: 202.342.2550

fax: 202.342.6147

The Firm

Resources

Expertise

Copyright © 2024 Cordatis LLP.
All rights reserved.

03/22/2024 ADA Website Compliant to ADA WCAG 2.1 AA / Section 508 as of 03/22/2024