NIST Issues SP 800-171 Rev. 3 Final Public Draft — November 17, 2023
The draft updates controlled unclassified information protections with supply chain, logging, and continuous monitoring requirements.
Executive briefing: On NIST released the final public draft of Special Publication 800-171 Revision 3, modernizing security requirements for protecting controlled unclassified information (CUI) in non-federal systems. The draft aligns with updates to NIST SP 800-53 Rev.5 and zero trust directives.
Notable updates
- Expanded control families. Revision 3 introduces new requirements for supply chain risk management, configuration monitoring, and threat intelligence integration.
- Enhanced logging expectations. Organizations must capture detailed audit events, including privilege changes and anomalous network activity, and retain logs to support investigations.
- Continuous monitoring emphasis. The draft stresses automated assessments, vulnerability management, and response procedures aligned with zero trust architectures.
Impact on contractors
- CMMC alignment. Defense industrial base contractors should prepare to incorporate Revision 3 controls into upcoming Cybersecurity Maturity Model Certification (CMMC) assessments.
- Documentation updates. System security plans, plans of action and milestones, and supplier agreements will need revisions to reflect new control language.
- Timeline awareness. Although final publication is pending, agencies may reference the draft in solicitations, making early gap assessments prudent.
Immediate actions
- Conduct a control-by-control comparison between SP 800-171 Rev.2 and the Revision 3 draft to identify net-new requirements.
- Engage suppliers handling CUI to confirm readiness for supply chain and logging obligations.
- Provide feedback to NIST before the public comment deadline to influence final requirements.