On May 14th, 2024, the National Institute of Standards and Technology (NIST) released an updated version of NIST Special Publication (SP) 800-171, Revision 3. This publication addresses safeguarding Controlled Unclassified Information (CUI) within nonfederal systems and organizations. The revision introduces several significant changes. For example, the revision consolidates certain security requirements resulting in an overall lower number of security requirements – but in effect actually creates more security requirements than in Revision 2. Second, it adds organization-defined parameters (OPDs) which allow for tailoring and flexibility of controls. But, in an effort to make things simpler, NIST added in a lot of ambiguity with these OPDs. Thankfully, NIST also released NIST SP 800-171a, Rev. 3, Assessing Security Requirements for Controlled Unclassified Information, which will help contractors assess their security posture for CUI. It is highly recommended to review the new requirements of NIST SP 800-171, Rev. 3, while also consulting the 800-171a.
Contractors seeking more information about these changes can refer to the frequently asked questions (FAQ) section and the Change Analysis available on the NIST website.
It’s worth noting that if a contract includes DFARS Clause 252.204-7012—and every contract that involves the DoD and CUI should—contractors are required to adhere to NIST SP 800-171. According to this clause, compliance is expected with the version of NIST SP 800-171 that was in effect at the time of solicitation issuance. This could mean that new contracts are required to follow Revision 3. But, in anticipation of Revision 3, the DoD issued a class deviation—that is a change to the language in the DFARS. This deviation specifies that contractors should continue to comply with the previous version, NIST SP 800-171 Revision 2, until further notice. Further details are available in the associated Press Release.
Consequently, contractors are not immediately required to adopt the changes outlined in Revision 3. However, it’s important to recognize that Revision 3 will eventually become the standard. Therefore, contractors are advised to utilize this transition period to prepare for the eventual implementation of Revision 3. Please contact Jason Moy if you have questions or need legal assistance with these matters.