U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Protecting Controlled Unclassified Information: Drafts of NIST SP 800-171 Rev. 3 and NIST SP 800-171A Rev. 3 Available for Comment

The final public draft (fpd) of NIST Special Publication (SP) 800-171r3 (Revision 3) and initial public draft (ipd) of NIST SP 800-171Ar3 (Revision 3) are now available for public review and comment.

Share

The final public draft (fpd) of NIST Special Publication (SP) 800-171r3 (Revision 3), Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations is now available for public review and comment.

This update to NIST SP 800-171 represents over one year of data collection, technical analyses, customer interaction, redesign, and development of the security requirements and supporting information for the protection of Controlled Unclassified Information (CUI). Many trade-offs have been made to ensure that the technical and non-technical requirements have been stated clearly and concisely while also recognizing the specific needs of both federal and nonfederal organizations.

In response to the 1600+ comments received on the initial public draft and its supporting resources, NIST continued to refine the security requirements to:

  1. Reduce the number of organization-defined parameters (ODP)
  2. Reevaluate the tailoring categories and tailoring decisions
  3. Restructure and streamline the discussion sections

Additional files for the final public draft include an FAQ, a detailed analysis of the changes between Revision 2 and Revision 3, and a prototype CUI Overlay.

Concurrently, the initial public draft (ipd) of NIST SP 800-171Ar3 (Revision 3), Assessing Security Requirements for Controlled Unclassified Information, is also available. In addition to reflecting the security requirements in NIST SP 800-171r3 fpd, the following significant changes have been made:

  1. Restructured the assessment procedure syntax to align with NIST SP 800-53A
  2. The addition of a references section to provide source assessment procedures from NIST SP 800-53A
  3. A one-time change to the publication version number (skipping “Revision 2”) to align with NIST SP 800-171r3

Submit Your Comments

The public comment period for both drafts is open through January 12, 2024. We strongly encourage you to use the comment template available on each publication details page, and submit your comments to 800-171comments [at] list.nist.gov (subject: Comments%20on%20NIST%20SP%20800-171r3%20initial%20public%20draft) (800-171comments[at]list[dot]nist[dot]gov). Reviewers are encouraged to comment on all or parts of both publications. Comments received in response to this request will be posted on the Protecting CUI project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed.

Please direct questions and comments to 800-171comments [at] list.nist.gov (800-171comments[at]list[dot]nist[dot]gov).

Released November 9, 2023