Accessibility Tools

Skip to main content

Access World-Class NIST RMF Documentation with ASP Learn More

NIST Issues Initial Public Draft of Revision 3 of NIST 800-171

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

The National Institute of Standards and Technology ("NIST") published a first public draft of revision 3 of NIST Special Publication ("SP") 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, on May 10, 2023. The document, despite being in draft form, offers crucial advice to federal government contractors and other businesses that are required to utilize NIST SP 800-171 as a baseline for cybersecurity compliance. NIST incorporated public comments into the draft Revision 3 and is still looking for feedback on this revision.

Significant changes NIST SP 800-171, Revision 3 include:

  1. Updates to the security requirements and families to reflect updates in NIST SP 800-53, Revision 5 and the NIST SP 800-53B moderate control baseline
  2. Updated tailoring criteria
  3. Increased specificity for security requirements to remove ambiguity, improve the effectiveness of implementation, and clarify the scope of assessments
  4. Introduction of organization-defined parameters (ODP) in selected security requirements to increase flexibility and help organizations better manage risk
  5. A prototype CUI overlay

The development of the security requirements and supporting material for the protection of Controlled Unclassified material (CUI) took more than a year, and the update to NIST SP 800-171 is the result of data collecting, technical analysis, customer contact, and redesign. To guarantee that the technical and non-technical requirements have been presented clearly and simply while also taking into account the unique demands of both federal and non-federal entities, numerous trade-offs have been made.

About Arlington

We are Arlington, a team of innovative, solution-oriented, highly agile, and well-versed professionals with decades of experience in working with America’s defense industry. From emerging cybersecurity regulations to helping our clients solve complex security & compliance solutions – and so much more – you can trust Arlington, the firm that’s Dedicated to Defense®.  Learn more at