Spring Has Sprung New Cyber Requirements: NIST Unveils Draft Revision 3 to NIST SP 800-171

Client Alert | 2 min read | 05.12.23

On May 10, 2023, the National Institute of Standards and Technology (NIST) released a draft of NIST Special Publication (SP) 800-171 Revision 3, containing new and revised cybersecurity controls that, when finalized, will be required for federal contractors handling Controlled Unclassified Information (CUI).

NIST proposed five key changes to NIST SP 800-171:

New controls and control families. Like Revision 2, NIST SP 800-171 Revision 3 contains 110 total security controls. However, in Revision 3, NIST deleted or consolidated older controls to make way for 26 new controls, including 3 new control families.
Introduction of organization-defined parameters (ODP). NIST introduced ODP in select security controls, increasing flexibility by allowing federal agencies to specify values for designated parameters as needed. For example, Control 3.5.12, “Authenticator Management,” now allows agencies to define the authenticator refreshment time period or, if the agency prefers, require refreshment when an agency-defined event occurs.
Increased specificity for security requirements. Revision 3 incorporates nuanced security requirements for the majority of its controls. For example, to comply with Revision 3’s Control 3.1.4, “Separation of Duties,” contractors will need to demonstrate that they:
a. identify the duties of individuals requiring separation; and
b. define system access authorizations to support separation of duties.
Updated tailoring criteria. NIST reduced the number of non-federal organization (NFO) controls from Revision 2, as industry feedback revealed that many NFO controls (e.g. AC-1, “Policies and Procedures”) were not being implemented or assessed.
A prototype CUI overlay. NIST provided a draft CUI overlay spreadsheet along with Revision 3. The overlay describes how each control and control item in the NIST SP 800-53 moderate baseline—essentially, NIST SP 800-171’s parent standard—is tailored to protect CUI in NIST SP 800-171.

NIST is soliciting comments on Revision 3 through July 14, 2023. Any interested parties may email their comments to 800-171comments@list.nist.gov.

Contacts

Michael G. Gruden
Partner
- Washington, D.C.
  - D | +1.202.624.2545
bWdydWRlbkBjcm93ZWxsLmNvbQ==
Evan D. Wolff
Partner
He/Him/His
- Washington, D.C.
  - D | +1.202.624.2615
ZXdvbGZmQGNyb3dlbGwuY29t
Maida Oringher Lerner
Senior Counsel
She/Her/Hers
- Washington, D.C.
  - D | +1.202.624.2596
bWxlcm5lckBjcm93ZWxsLmNvbQ==
Jacob Harrison
Associate
He/Him/His
- Washington, D.C.
  - D | +1.202.624.2533
amhhcnJpc29uQGNyb3dlbGwuY29t

Insights

Client Alert | 8 min read | 05.19.25

AI and Cybersecurity Under the Spotlight: UK Publishes New Codes for Software Security and Warns on AI Cybersecurity Divide

Earlier this month the National Cyber Security Centre (“NCSC”) hosted CYBERUK, the UK government’s flagship cybersecurity event. On 7 May the NCSC launched their report “Impact of AI on cyber threat from now to 2027” (“Report”), whilst the Department for Science, Innovation and Technology (“DSIT”) published a new voluntary Software Security Code of Practice, (“Code”). Cybersecurity and AI are under the spotlight in the UK. Eyes are also on the recently unveiled US/UK trade agreement and the possibility of a further transatlantic tech-focused agreement to cement prior Technology and Data Partnership discussions to create a US/UK “digital bridge.”...

Client Alert | 2 min read | 05.19.25
Department of Energy Begins Investigating Financial Assistance Awards, Heightening Risk of Award Terminations
Client Alert | 9 min read | 05.19.25
U.S. Department of Commerce Rescinds Biden Administration’s AI Diffusion Export Control Rule and Issues New Guidance on Huawei, Chips for AI Purposes, and Diligence Expectations
Client Alert | 3 min read | 05.16.25
EPA Maintains Current Drinking Water Standards for PFOA and PFOS but Plans To Reconsider Other PFAS Compounds

View All Insights