Contact

Updated requirements for Controlled Unclassified Information (CUI)

On May 14th, 2024, the National Institute of Standards and Technology (NIST) released an updated version of NIST Special Publication (SP) 800-171, Revision 3. This publication addresses safeguarding Controlled Unclassified Information (CUI) within nonfederal systems and organizations. The revision introduces several significant changes. For example, the revision consolidates certain security requirements resulting in an overall lower number of security requirements – but in effect actually creates more security requirements than in Revision 2. Second, it adds organization-defined parameters (OPDs) which allow for tailoring and flexibility of controls. But, in an effort to make things simpler, NIST added in a lot of ambiguity with these OPDs. Thankfully, NIST also released NIST SP 800-171a, Rev. 3, Assessing Security Requirements for Controlled Unclassified Information, which will help contractors assess their security posture for CUI. It is highly recommended to review the new requirements of NIST SP 800-171, Rev. 3, while also consulting the 800-171a.

Contractors seeking more information about these changes can refer to the frequently asked questions (FAQ) section and the Change Analysis available on the NIST website.

It’s worth noting that if a contract includes DFARS Clause 252.204-7012—and every contract that involves the DoD and CUI should—contractors are required to adhere to NIST SP 800-171. According to this clause, compliance is expected with the version of NIST SP 800-171 that was in effect at the time of solicitation issuance. This could mean that new contracts are required to follow Revision 3. But, in anticipation of Revision 3, the DoD issued a class deviation—that is a change to the language in the DFARS. This deviation specifies that contractors should continue to comply with the previous version, NIST SP 800-171 Revision 2, until further notice. Further details are available in the associated Press Release.

Consequently, contractors are not immediately required to adopt the changes outlined in Revision 3. However, it’s important to recognize that Revision 3 will eventually become the standard. Therefore, contractors are advised to utilize this transition period to prepare for the eventual implementation of Revision 3. Please contact Jason Moy if you have questions or need legal assistance with these matters.

Related Resources

View All Resources
Published on:

Client alert: Federal court pauses DEI executive orders

On February 21, 2025, a federal court issued a nation-wide preliminary injunction that temporarily stops President Trump’s efforts to criminalize programs that support diversity, equity, and inclusion. Click the link to learn more and contact Josh Schnell with questions about DEI terminations or related compliance issues. 
Published on:

Law360 Coverage of billion dollar bid protest

Law360 recently published an article about the bid protest we filed on behalf of Centerra Security Service GmBH. In the case (Centerra Security Service GmBH v. United States), a Cordatis team consisting of Daniel Strouse, Josh Schnell, and Pablo Nichols are challenging the Army's award of a billion dollar contract for security services throughout Germany.
Published on:

Sometimes the sole-source is the right source

After our client Hydraulics International, Inc. won a sole-source contract from the Army for an Aviation Ground Power Unit, a competitor filed a GAO protest arguing that it should have been allowed to compete for the contract. A Cordatis team consisting of David Cohen, John O'Brien, Pablo Nichols, and Rhina Cardenal intervened and successfully defended the protest.

Big Firm Experience – Small Firm Value

Serving the government contracting community since 1979

+1(202)342-2550

Contact Us

1011 Arlington Blvd.
Suite 375
Arlington, VA 22209

tel: 202.342.2550

fax: 202.342.6147

The Firm

Resources

Expertise

Copyright © 2025 Cordatis LLP.
All rights reserved.

03/22/2024 ADA Website Compliant to ADA WCAG 2.1 AA / Section 508 as of 03/22/2024