Just in Time for Spring: Revision 2 to NIST SP 800-171 Comes into Full Bloom

Client Alert | 1 min read | 03.12.20

The National Institute of Standards and Technology (NIST) recently released its final version of Revision 2 to the cybersecurity standard NIST Special Publication (SP) 800-171. While the security controls remain unchanged, Revision 2 now incorporates implementation guidance into each control. Importantly though, such guidance remains non-binding and is not intended to extend the scope of the controls’ requirements.

For future solicitations, Revision 2 will replace Revision 1 as the applicable standard under DFARS 252.204-7012. It remains to be seen how the finalization of Revision 2 will impact the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC). Currently, many CMMC practices cite to Revision 1, while “Discussion” sections cite to the draft version of Revision 2.

Lastly, although introduced in draft form at the same time as Revision 2, the separate standard NIST SP 800-171B – describing enhanced security controls intended to mitigate the risks of Advanced Persistent Threats (APTs) – remains unfinalized.

Contacts

Michael G. Gruden
Partner
- Washington, D.C.
  - D | +1.202.624.2545
bWdydWRlbkBjcm93ZWxsLmNvbQ==
Kate M. Growley
Partner, Crowell Global Advisors Senior Director
- Washington, D.C.
  - D | +1.202.624.2698
- Washington, D.C. (CGA)
  - D | +1 202.624.2500
a2dyb3dsZXlAY3Jvd2VsbC5jb20=

Insights

Client Alert | 2 min read | 02.03.26

CMS Doubles Down on RADV Audit Changes

On January 27, 2026, the Centers for Medicare and Medicaid Services (CMS) released a Health Plan Management System (HPMS) memo that provided a long-awaited update on how the agency plans to approach previously announced Risk Adjustment Data Validation (RADV) audits for Payment Years (PY) 2020-2024. The memo is the agency’s most comprehensive statement on the subject since September 25, 2025, when the Northern District of Texas vacated the 2023 RADV Final Rule. The memo makes clear that, while CMS has made certain operational adjustments in response to concerns expressed by Medicare Advantage Organizations (MAOs), the agency is largely pressing forward with the accelerated audit strategy announced in May 2025....

Client Alert | 2 min read | 02.03.26
Sedona Model Jury Instructions for DTSA: A Step Forward—But Questions Remain
Client Alert | 7 min read | 01.30.26
CMS Proposes CY 2027 Growth Rate and Changes to Risk Adjustment for Medicare Parts C and D
Client Alert | 4 min read | 01.30.26
Optimum’s Shot Across the Bow: An Antitrust Challenge to Cooperation Agreements

View All Insights