Governance Briefing — NIST publishes SP 800-171 Revision 2

Executive briefing: NIST released Special Publication 800-171 Revision 2. The update retains the 110 security requirements for safeguarding Controlled Unclassified Information (CUI) in contractor systems and clarifies that assessment procedures are documented separately in SP 800-171A.

Why it matters

• Steady requirements: Contractors cannot defer control implementation on the assumption of new requirements; the baseline remains unchanged.
• Assessment alignment: DoD’s CMMC and self-attestation efforts reference the same control set, so SSPs and POA&Ms must stay accurate.
• Federal audits: Agencies can continue to enforce the established control set in grants and contracts without revision delays.

Operator actions

1. Update documentation: Confirm your SSP, POA&M, and inheritance statements map to the unchanged Rev. 2 controls.
2. Prepare for assessment: Align evidence to NIST SP 800-171A assessment objectives ahead of CMMC readiness reviews.
3. Flow down: Communicate the steady control expectations to subcontractors handling CUI and update contract language accordingly.