Navigating the Updates in NIST SP 800-171 Revision 3 

NIST Special Publication (SP) 800-171 has been updated from Revision 2 to Revision 3 after over a year of data collection, technical analysis, customer interaction, and development. The new version streamlines introductory information modifies security requirements to reflect NIST SP 800-53B moderate baseline and tailoring actions, eliminates the distinction between basic and derived security requirements, increases the specificity of security requirements, introduces organization-defined parameters (ODP), groups security requirements, removes outdated and redundant security requirements, and introduces a new tailoring category. The update also includes a prototype CUI overlay, a revised structure of the References, Acronyms, and Glossary sections, and a revised tailoring table. The transition information can be found on the publication details web page. 

How were the security controls in 800-171 Revision 3 developed? 

The NIST SP 800-53 security controls in the NIST SP 800-53B moderate baseline are used to satisfy the minimum-security requirements in FIPS 200. Still, they are tailored to eliminate specific controls or parts of controls that are primarily the responsibility of the Federal Government, not directly related to protecting the confidentiality of CUI, or expected to be implemented by nonfederal organizations without specification by the Federal Government. 

The NIST SP 800-171 security requirements are a subset of the controls required for a complete information security program. They are grouped into 17 families, each containing requirements related to a specific security topic. Some families from NIST SP 800-53 are not included due to tailoring criteria. 

What are ODPs (Organization-defined Parameters)? 

Organization-defined parameters (ODP) are included in some requirements to provide additional flexibility for federal organizations. ODPs allow these organizations to specify values for designated parameters as needed, which laws, directives, policies, and other factors can guide. Once specified, these values become part of the requirement, and the assignment and selection operations allow for customization based on organizational protection needs. 

NIST 800-171 Revision 3 is grouped into 17 control Families 

Access Control 
Awareness and Training  
Audit and Accountability  
Configuration Management  
Identification and Authentication  
Incident Response 
Media Protection  
Personnel Security  
Physical Protection  
Risk Assessment 
Security Assessment and Monitoring  
System and Communications Protection  
System and Information Integrity  
Planning (New) 
System and Services Acquisition (New) 
Supply Chain Risk Management (New) 

Number of Changes to Security Requirements 

Type of Change  Change Description  Number  
No significant change  Editorial changes to requirement; no change in outcome.  18 
Significant Change  Additional detail in the requirement, including more comprehensive detail on foundational tasks for achieving the outcome of the requirement.  49 
Minor Change  Editorial changes. Limited changes in the level of detail and outcome of requirements.  18 
New Requirement  Newly added requirement in IPD SP 800-171 Rev 3.  26 
Withdrawn Requirement  Requirement withdrawn or migrated to another requirement.  27 
New Organization-defined Parameter (ODP)  Note: New ODPs can apply to all change types with the exception of withdrawn requirements. Each requirement includes one or more new ODPs.  53 
   Total Number of Security Requirements in  
Draft SP 800-171 Rev 3 


It is unknown when it will be final, but historically NIST finalizes publications within one year of the public draft. The earliest we anticipate the draft to be final is the end of 2023, as it must go through the public comment process. 

Implications to DFARS 7012 

DFARS 7012 does not state a revision number as part of the regulation, which means that once NIST 800-171 r3 is final, it will be the required publication to follow to comply with DFARS 7012. Once final, any updated or new control must be added to your POAM for planned remediation. 

Implications to CMMC 

The DoD has not released a public draft of the CMMC framework, which must be updated to match 800-171 r3 once final. The update of this document will impact the requirements for CMMC certification. The DoD has not stated when this update is expected. 

Is it time for Defense Contractors to Freak Out? 

For those already working towards compliance with 800-171 Revision 2, no, but it is time for defense contractors not already on the path to compliance with the current revision of NIST 800-171 to start the process urgently. It takes, on average, an organization 12-18 months to fully implement all controls in 800-171 Revision 2, and if they start now, the requirements will only increase midway through as Revision 3 becomes final. The time to start is now, and MAD Security can help.

Let’s Socialize

Related Posts

About Us
united states flag

Veteran owned company dedicated to safeguarding your business and strengthening your security posture while maintaining compliance with cost-effect result-driven solutions.

Let’s Socialize

Popular Post