NIST publishes SP 800-171 Revision 2

NIST published Special Publication 800-171 Revision 2 on 20 February 2020, maintaining the existing 110 security requirements for protecting Controlled Unclassified Information (CUI) in nonfederal systems. While the revision made no significant changes to requirements, it aligned documentation with the forthcoming NIST SP 800-171A assessment procedures and clarified setup expectations for the defense industrial base.

What Actually Changed in Revision 2

Despite the revision number increment, organizations already compliant with Revision 1 face no new technical requirements. The revision primarily addressed documentation alignment, errata corrections, and clarification of ambiguous language—not the introduction of additional security controls.

Assessment procedure alignment: Revision 2 synchronized terminology and structure with NIST SP 800-171A, the companion assessment guide published concurrently. This alignment simplifies mapping between security requirements and assessment objectives, streamlining compliance evaluation and audit preparation.

Control family clarifications: Several requirements received refined explanatory text addressing common setup questions from the contractor community. These clarifications do not change compliance obligations but provide additional guidance for organizations uncertain about setup scope.

Errata corrections: Minor textual corrections addressed typos, inconsistent cross-references, and formatting issues identified since Revision 1 publication. These corrections do not affect compliance posture.

The 110 Security Requirements Framework

NIST SP 800-171 organizes CUI protection requirements into 14 security families, each addressing distinct aspects of information security. Understanding this structure helps organizations focus on setup efforts and map existing controls to federal requirements.

Access Control (22 requirements) addresses account management, access enforcement, information flow control, and least privilege principles. This family typically requires the most setup effort for organizations without mature identity governance programs.

Awareness and Training (3 requirements) mandates security awareness programs and role-based training. Most organizations can satisfy these requirements by extending existing training programs to cover CUI-specific handling procedures.

Audit and Accountability (9 requirements) establishes logging, review, and retention capabilities. Organizations often underestimate storage requirements and review bandwidth needed for full audit programs.

Configuration Management (9 requirements) addresses baseline configurations, change control, and least functionality. These requirements align closely with CIS benchmarks and common hardening practices.

Identification and Authentication (11 requirements) covers user identification, authentication strength, and device identification. Multi-factor authentication requirements receive particular attention in CMMC assessments.

DFARS 252.204-7012 Compliance Context

Defense contractors subject to DFARS 252.204-7012 must implement NIST SP 800-171 requirements to protect covered defense information on contractor systems. The clause applies to contracts involving CUI and flows down to subcontractors throughout the supply chain.

System Security Plan (SSP) requirements: Contractors must document how each of the 110 requirements is implemented within their environment. The SSP serves as the primary compliance artifact, demonstrating systematic setup rather than ad hoc controls.

Plan of Action and Milestones (POA&M): Requirements not fully implemented must be documented in a POA&M with specific remediation timelines. Assessors evaluate both current setup status and the credibility of remediation plans for outstanding items.

Incident reporting obligations: DFARS requires reporting cyber incidents affecting covered defense information within 72 hours. This timeline demands prepared incident response procedures and clear escalation paths to contracting officers.

CMMC Integration Implications

The Cybersecurity Maturity Model Certification (CMMC) program, announced by DoD in January 2020, incorporates NIST SP 800-171 requirements within its level 3 practices. Contractors preparing for CMMC assessments can use 800-171 compliance as a foundation, though CMMC adds additional practices and process maturity requirements.

Assessment methodology differences: While 800-171 permits contractor self-attestation, CMMC requires third-party assessment by certified assessors. If you are affected, prepare for more rigorous evidence requirements than previously necessary for DFARS compliance claims.

Supply chain implications: CMMC certification requirements will flow down to subcontractors based on CUI handling, not just prime contractor determinations. Organizations throughout defense supply chains should evaluate CUI exposure and certification requirements.

Implementation Prioritization Strategy

Organizations beginning 800-171 setup should focus on based on risk reduction and assessment focus areas. Identity and access management controls (AC and IA families) typically reveal the most findings in assessments and offer significant security improvements.

Multi-factor authentication receives disproportionate attention in CMMC assessments. Implementing MFA for all remote access and privileged local access addresses multiple requirements simultaneously and shows security program maturity.

Audit logging and review capabilities require infrastructure investment and operational commitment. If you are affected, plan for log storage growth, analyst time for review activities, and automation to make review processes sustainable.

Security awareness training offers quick wins with minimal technical complexity. Developing CUI-specific training modules and documenting delivery enables rapid compliance with AT family requirements while building security culture.

Common Implementation Gaps

Assessment experience reveals recurring compliance gaps across the contractor community. Boundary definition problems occur when organizations cannot clearly articulate which systems process CUI and which remain out of scope. Ambiguous boundaries complicate compliance demonstration and often expand assessment scope.

Cryptographic protection gaps emerge from systems transmitting CUI without TLS encryption or storing CUI on unencrypted endpoints. Legacy applications and inherited infrastructure frequently lack encryption capabilities assumed in 800-171 requirements.

Personnel security inconsistencies arise from incomplete background check procedures or inadequate access termination processes. These procedural controls require coordination between HR, IT, and security functions that may not exist in smaller organizations.

Assessment Preparation Strategy

Organizations preparing for CMMC or other 800-171 assessments should approach preparation systematically.

Evidence collection: Compile documentation demonstrating each requirement's setup: policies, procedures, technical configurations, training records, and audit logs. Assessors expect organized evidence packages mapping to specific requirements.

Gap remediation prioritization: Address high-visibility gaps first—MFA for remote access, full audit logging, and documented incident response procedures receive particular scrutiny. Quick wins build momentum and show security program maturity.

Mock assessments: Conduct internal assessments using NIST SP 800-171A methodology before formal evaluation. Identify evidence gaps, process weaknesses, and interview readiness issues while there is time to remediate.

Why This Update Matters for Your Organization

If you are a defense contractor or supplier, NIST 800-171 is not just technical guidance—it is the foundation of your ability to win and maintain government contracts. The revision clarified requirements that caused confusion and provided clearer guidance on implementation.

The reality is that many organizations found the original standard difficult to interpret. This update addresses those pain points with practical examples and clearer language that makes compliance more achievable.

Getting Implementation Right

Here's what successful organizations do differently: they treat 800-171 as a security program, not a compliance project. That means building sustainable practices your team can maintain year after year, not just checking boxes before an assessment.

Start with your most sensitive systems—the ones actually handling CUI. Get those right first. You can expand your compliance boundary later, but protecting your crown jewels from day one demonstrates serious intent to assessors and customers alike.

More on this topic

Further reading from our research library.

Governance · Credibility 71/100 · May 10, 2023

NIST releases SP 800-171 Revision 3 draft

NIST SP 800-171 Rev 3 draft in May 2023 proposed CUI protection updates. Alignment with 800-53 Rev 5 and new supply chain controls. Federal contractors prepared for the final rule.

Governance · Credibility 91/100 · January 31, 2020

DoD releases CMMC Version 1.0 for defense contractors

The DoD just released CMMC 1.0—five certification levels ranging from basic cyber hygiene to advanced practices. If you want to work on defense contracts, you'll eventually need a certified third-party assessment. This…

Governance · Credibility 91/100 · September 29, 2020

DoD issues DFARS interim rule to roll out CMMC assessments

The Department of Defense published an interim DFARS rule establishing the Cybersecurity Maturity Model Certification (CMMC) assessment requirement and a NIST SP 800-171 DoD Assessment methodology for defense contractors…

Governance · Credibility 73/100 · February 24, 2020

DoD adopts ethical principles for artificial intelligence

The Pentagon adopted five AI ethical principles: responsible, equitable, traceable, reliable, and governable. They are broad statements rather than specific requirements, but they signal that DoD expects contractors to…

Governance · Credibility 86/100 · February 27, 2020

NIST publishes draft NISTIR 8286 on integrating cybersecurity with ERM

NIST released the initial public draft of NISTIR 8286 on 27 February 2020, outlining how organizations can align cybersecurity risk management activities with enterprise risk management programs and governance…

Continue in the Governance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Board Oversight Governance Blueprint

  Unify Basel Committee, PRA, SEC, and ISSB oversight mandates into an auditable board governance operating model with data lineage, assurance cadences, and regulatory source packs.

• Third-Party Governance Control Blueprint

  Deliver OCC, Federal Reserve, PRA, EBA, DORA, MAS, and OSFI third-party governance requirements through board reporting, lifecycle controls, and resilience evidence.

• Public-Sector Governance Alignment Playbook

  Align OMB Circular A-123, GAO Green Book, OMB M-24-10 AI guidance, EU public sector directives, and UK Orange Book with digital accountability, risk management, and service…

Coverage intelligence

Published

February 20, 2020

Coverage pillar

Governance

Source credibility

91/100 — high confidence

Topics

NIST SP 800-171 · CUI · DFARS

Sources cited

3 sources (csrc.nist.gov, acquisition.gov)

Reading time

6 min

Source material

1. NIST SP 800-171 Rev 2 — NIST
2. DFARS 252.204-7012 — DFARS
3. NIST SP 800-53 — NIST