NIST Issues SP 800-171 Rev. 3 Final Public Draft — November 17, 2023

Quick summary

On 17 November 2023, NIST released the final public draft of Special Publication 800-171 Revision 3, representing a significant modernization of security requirements for protecting controlled unclassified information (CUI) in non-federal systems. The revision aligns with updates to NIST SP 800-53 Rev.5, incorporates zero trust principles, and introduces new control families addressing contemporary threats including supply chain risks and advanced persistent threats.

Background and Context

SP 800-171 establishes minimum security requirements for contractors and other non-federal organizations handling CUI:

• Regulatory foundation: The publication implements requirements from Executive Order 13556 establishing the CUI program and DFARS clause 252.204-7012 mandating its adoption by defense contractors.
• Previous revision: Revision 2, published in February 2020, served as the baseline for Cybersecurity Maturity Model Certification (CMMC) Level 2 requirements.
• Driver for update: The revision addresses gaps identified through contractor assessments, supply chain compromises, and evolving threat intelligence since Rev.2 publication.
• SP 800-53 alignment: Revision 3 maintains compatibility with SP 800-53 Rev.5 control baseline while tailoring requirements for non-federal environments.

Major Control Family Changes

Revision 3 introduces significant changes across multiple control families:

• Supply Chain Risk Management (New): Organizations must implement formal supply chain risk assessment processes, verify supplier security practices, and maintain visibility into critical component provenance.
• Audit and Accountability (Enhanced): Expanded logging requirements include detailed privilege changes, anomalous network activity, and integration with security information and event management (SIEM) platforms.
• Identification and Authentication (Enhanced): Multi-factor authentication requirements broadened, with specific guidance for privileged access and remote sessions.
• Configuration Management (Enhanced): Continuous configuration monitoring and automated compliance verification expectations added.
• Risk Assessment (Enhanced): Integration with threat intelligence feeds and vulnerability management processes required.
• System and Communications Protection (Enhanced): Network segmentation and zero trust architecture principles incorporated.

Logging and Monitoring Requirements

Revision 3 significantly expands audit and monitoring expectations:

• Event types: Organizations must capture authentication events, privilege escalations, configuration changes, data access patterns, and network anomalies.
• Retention: Log retention periods must support incident investigations and forensic analysis, typically requiring 12+ months of accessible data.
• Centralization: Audit data should be consolidated in SIEM or similar platforms enabling correlation and alerting.
• Protection: Audit logs must be protected from unauthorized modification or deletion, with integrity verification capabilities.
• Review: Regular audit log review and anomaly investigation processes required.

Zero Trust Architecture Integration

The revision incorporates zero trust principles throughout:

• Continuous verification: Authentication and authorization must be validated continuously, not just at session establishment.
• Least privilege: Access rights limited to minimum necessary for function, with regular recertification.
• Network segmentation: Micro-segmentation and software-defined perimeters recommended for CUI environments.
• Device trust: Device posture assessment required before granting access to CUI systems.
• Encryption: Data encryption required both in transit and at rest, with key management controls.

Impact on Defense Industrial Base

Defense contractors face significant implications from Revision 3:

• CMMC alignment: Revision 3 requirements will probably form the basis for updated CMMC Level 2 assessments, requiring contractors to implement new controls.
• Contract requirements: Agencies may begin referencing Rev.3 requirements in solicitations once the final publication is released.
• Assessment preparation: Contractors should begin gap assessments against draft requirements to identify necessary investments.
• Supply chain obligations: Prime contractors must flow down improved requirements to subcontractors handling CUI.

Documentation Updates Required

Organizations will need to update multiple compliance artifacts:

• System Security Plans: SSPs must be revised to address new control families and improved requirements within existing families.
• Plans of Action and Milestones: POAMs should identify gaps against Rev.3 requirements and remediation timelines.
• Supplier agreements: Contracts with vendors handling CUI need updates reflecting supply chain requirements.
• Policies and procedures: Internal documentation must address new audit logging, continuous monitoring, and supply chain processes.
• Training materials: Security awareness training should incorporate Rev.3 requirement changes.

Implementation Timeline Considerations

If you are affected, plan setup activities aligned with expected timelines:

• Comment period: NIST accepted public comments on the draft through early 2024, potentially influencing final requirements.
• Final publication: The final SP 800-171 Rev.3 was expected in 2024, establishing the authoritative requirement set.
• Transition period: NIST typically provides transition periods for organizations to implement major revisions, likely 12-24 months.
• CMMC integration: DoD will need to update CMMC assessment guidance to align with Rev.3, potentially affecting assessment timelines.

Gap Assessment Approach

If you are affected, conduct structured gap assessments:

• Compare current Rev.2 setup status against Rev.3 draft requirements control by control
• Identify net-new controls requiring setup from scratch
• Assess improved requirements within existing control families
• Evaluate technology and process investments needed to achieve compliance
• Estimate setup costs and timelines for budget planning
• Prioritize high-impact gaps for early remediation

Supplier Engagement Requirements

The supply chain control family creates new obligations for vendor management:

• Maintain inventories of suppliers with access to CUI or CUI systems
• Assess supplier security practices and require evidence of controls
• Include security requirements in supplier contracts and monitor compliance
• Verify software provenance and integrity for critical components
• Establish incident notification requirements with suppliers

Final assessment

SP 800-171 Revision 3 represents the most significant update to CUI protection requirements since the original publication. The expanded scope addressing supply chain risk, improved logging requirements, and zero trust integration will require significant setup effort for organizations handling CUI. Early engagement with the draft requirements, preventive gap assessment, and strategic investment planning will position organizations for successful transition when the final publication becomes effective.

Similar analysis

Additional analysis covering similar themes.

Cybersecurity · Credibility 92/100 · June 7, 2023

MOVEit Transfer Exploited by CLOP Ransomware — June 7, 2023

Clop ransomware gang's MOVEit exploitation in June 2023 affected thousands of organizations. Zero-day vulnerability in file transfer software. One of the largest supply chain attacks of the year.

Cybersecurity · Credibility 92/100 · June 13, 2024

NIST Finalizes SP 800-82 Revision 3 for OT Cybersecurity — June 13, 2024

NIST released SP 800-82 Rev 3, the updated guide for securing OT and industrial control systems. It is been a long time coming—the last major update was in 2015. The new version covers cloud-connected OT, converged IT/OT…

Cybersecurity · Credibility 92/100 · January 12, 2021

NIST SP 800-172 Enhanced Security Requirements — January 12, 2021

NIST’s SP 800-172 supplement now pushes CUI operators to implement zero trust architectures, advanced monitoring, and resilience measures to counter nation-state threats.

Cybersecurity · Credibility 91/100 · October 30, 2023

Executive Order 14110 on Safe, Secure, and Trustworthy AI — October 30, 2023

Executive Order 14110 directs NIST, DHS, and sector risk agencies to build secure-by-design AI guidance, critical infrastructure risk frameworks, and red-teaming regimes—demanding governance to oversee compliance…

Cybersecurity · Credibility 91/100 · December 13, 2023

CISA Finalizes SCuBA Cloud Security Reference Architecture — December 13, 2023

The Secure Cloud Business Applications project released finalized zero trust architecture guidance for Microsoft 365 tenants.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Small Business Cybersecurity Survival Checklist

  A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published

November 17, 2023

Coverage pillar

Cybersecurity

Source credibility

90/100 — high confidence

Topics

United States · Defense · Supply chain · NIST

Sources cited

3 sources (csrc.nist.gov, nist.gov, iso.org)

Reading time

5 min

Further reading

1. NIST SP 800-171 Rev. 3 Final Public Draft
2. NIST News: NIST Seeks Comment on Draft Updated CUI Security Requirements
3. ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization