On May 14, 2024, the National Institute of Standards and Technology (NIST) issued the final version of Revision 3 to NIST Special Publication (SP) 800-171, providing updated guidance to contractors and federal agencies who handle controlled unclassified information (CUI). As explained below, aside from Department of Defense (DoD), the new standards provided in Revision 3 became effective upon issuance and, unless stated otherwise, will be the operative standards in solicitations and contracts going forward.

Background: Controlled Unclassified Information (CUI) and SP 800-171

In 2010, Executive Order (E.O.) 13556 established a government-wide program to standardize the way the executive branch handles CUI. The program requires federal agencies to process, store, and transmit CUI in compliance with NIST standards and guidelines, and extends those protection requirements to CUI used and stored by nonfederal entities on nonfederal systems (i.e., contractors who handle CUI on their own systems during contract performance). In accordance with the E.O., NIST issued SP 800-171 in 2015 to provide "federal agencies with recommended security requirements for protecting the confidentiality of CUI when such information is resident in nonfederal systems and organizations." These requirements are "passed through" to nonfederal organizations via contracts and other agreements. 

Revision 3

Revision 3 is aimed at updating and streamlining the standards provided in Revision 2. Here are a few of the most relevant changes for contractors. 

• Clarity and Streamlining: Revision 3 contains 97 security requirements, down from 110 found in Revision 2, through the elimination of outdated and redundant requirements. NIST also combined and/or restructured security requirements where appropriate. In addition, the agency re-wrote certain security requirement descriptions to increase specificity and remove noted ambiguities. For example, Revision 3 removes the ambiguous term "periodically" found in Revision 2 descriptions (i.e., "scan for vulnerabilities in organizational systems and applications periodically"). Finally, the agency eliminated the distinction between "basic" requirements (taken from Federal Information Processing Standards (FIPS) 200) and "derived" requirements (taken from NIST SP 800-53), instead using only SP 800-53 as the "single authoritative source" to increase "specificity and clarity." 
• New Security Requirements Families: The security requirements found in SP 800-171 are organized into 17 families, up from 14 families in Revision 2. The three new families are: Planning, System and Services Acquisition, and Supply Chain Risk Management. 
  • In particular, contractors should review the new Supply Chain Risk Management family, as it contains three new security controls, including the (1) development of a supply chain risk management plan, (2) development and implementation of acquisition strategies, tools, and procurement methods to identify, protect against, and mitigate supply chain risks, and (3) establishment of processes for identifying and addressing weaknesses or deficiencies in the supply chain.
• Organization-Defined Parameters (ODPs): Revision 3 introduces the concept of ODPs used in certain security requirements, purportedly to increase flexibility by allowing the relevant federal agency or contractor to specify values for the parameters designated in a given security requirement. For example, the "Unsuccessful Logon Attempts" security control mandates that a contractor handling CUI enforce a limit to the number of consecutive invalid logon attempts by a user during a given period. The associated ODP allows the relevant federal agency or contractor to define the number of login attempts and the time period. While this gives agencies flexibility to define their security requirements, it is likely to create inconsistencies across different agencies, so it is important that contractors review the specific ODPs for their particular agency and contract. 
• Alignment with NIST SP 800-53: As we noted, Revision 3 no longer references FIPS 200. Instead, all security requirements described in SP 800-171, which governs the protection of CUI on nonfederal systems, are derived from the requirements found in SP 800-53, which governs the protection of CUI on federal systems. Appendix C of Revision 3 provides the mapping and describes the "tailoring criteria" used to develop the CUI security requirements in SP 800-171. 
• Assessing Security Requirements: NIST also released SP 800-171A Revision 3, which provides organizations with assessment procedures and a methodology that can be used to conduct assessments of the security requirements found in 800-171 Revision 3. Notably, the number of assessment objectives increased to 390, up from 320 in Revision 2. 

Cybersecurity Rules and DoD Class Deviation

Many federal cybersecurity rules and programs rely upon SP 800-171 in defining CUI requirements, including the DoD's Cybersecurity Maturity Model Certification (CMMC) Program, Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, and likely the forthcoming Federal Acquisition Regulation (FAR) rule. As such, it is vitally important for contractors that process, store, or transmit CUI on their own systems during contract performance to review Revision 3 and ensure they have the requisite policies and procedures in place to meet NIST's standards. 

DoD contractors should be mindful of the Department's class deviation, issued earlier this month, delaying the applicability of Revision 3's standards to DoD contracts. The deviation to DFARS 252.204-7012 requires contractors subject to the clause to comply with NIST SP 800-171 Revision 2 "instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer," which would now otherwise be Revision 3. DoD stated that the purpose of the deviation is to "provide industry time for a more deliberate transition" to Revision 3. No timeline was given for when the deviation would be rescinded. 

Conclusion

Revision 3 makes significant changes to contractor requirements for handling CUI, as highlighted by the summary above. If you have questions about how these changes impact your business or about how to comply with the new requirements, please contact one of the Miller & Chevalier attorneys below.

Ashley Powers, apowers@milchev.com, 202-626-5564

Connor W. Farrell, cfarrell@milchev.com, 202-626-5925

The information contained in this communication is not intended as legal advice or as an opinion on specific facts. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. For more information, please contact one of the senders or your existing Miller & Chevalier lawyer contact. The invitation to contact the firm and its lawyers is not to be construed as a solicitation for legal work. Any new lawyer-client relationship will be confirmed in writing.

This, and related communications, are protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices, and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this presentation without prior written consent of the copyright holder.