1. Home
  2. |Insights
  3. |Just in Time for Spring: Revision 2 to NIST SP 800-171 Comes into Full Bloom

Just in Time for Spring: Revision 2 to NIST SP 800-171 Comes into Full Bloom

Client Alert | 1 min read | 03.12.20

The National Institute of Standards and Technology (NIST) recently released its final version of Revision 2 to the cybersecurity standard NIST Special Publication (SP) 800-171. While the security controls remain unchanged, Revision 2 now incorporates implementation guidance into each control.  Importantly though, such guidance remains non-binding and is not intended to extend the scope of the controls’ requirements.  

For future solicitations, Revision 2 will replace Revision 1 as the applicable standard under DFARS 252.204-7012. It remains to be seen how the finalization of Revision 2 will impact the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC). Currently, many CMMC practices cite to Revision 1, while “Discussion” sections cite to the draft version of Revision 2.

Lastly, although introduced in draft form at the same time as Revision 2, the separate standard NIST SP 800-171B – describing enhanced security controls intended to mitigate the risks of Advanced Persistent Threats (APTs) – remains unfinalized.


Contacts

Insights

Client Alert | 2 min read | 12.19.25

GAO Cautions Agencies—Over-Redact at Your Own Peril

Bid protest practitioners in recent years have witnessed agencies’ increasing efforts to limit the production of documents and information in response to Government Accountability Office (GAO) bid protests—often will little pushback from GAO. This practice has underscored the notable difference in the scope of bid protest records before GAO versus the Court of Federal Claims. However, in Tiger Natural Gas, Inc., B-423744, Dec. 10, 2025, 2025 CPD ¶ __, GAO made clear that there are limits to the scope of redactions, and GAO will sustain a protest where there is insufficient evidence that the agency’s actions were reasonable....

View All Insights