The final public draft (fpd) of NIST Special Publication (SP) 800-171r3 (Revision 3), Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations is now available for public review and comment.
This update to NIST SP 800-171 represents over one year of data collection, technical analyses, customer interaction, redesign, and development of the security requirements and supporting information for the protection of Controlled Unclassified Information (CUI). Many trade-offs have been made to ensure that the technical and non-technical requirements have been stated clearly and concisely while also recognizing the specific needs of both federal and nonfederal organizations.
In response to the 1600+ comments received on the initial public draft and its supporting resources, NIST continued to refine the security requirements to:
Additional files for the final public draft include an FAQ, a detailed analysis of the changes between Revision 2 and Revision 3, and a prototype CUI Overlay.
Concurrently, the initial public draft (ipd) of NIST SP 800-171Ar3 (Revision 3), Assessing Security Requirements for Controlled Unclassified Information, is also available. In addition to reflecting the security requirements in NIST SP 800-171r3 fpd, the following significant changes have been made:
The public comment period for both drafts is open through January 12 January 26, 2024. We strongly encourage you to use the comment template available on each publication details page, and submit your comments to 800-171comments@list.nist.gov. Reviewers are encouraged to comment on all or parts of both publications. Comments received in response to this request will be posted on the Protecting CUI project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed.
Please direct questions and comments to 800-171comments@list.nist.gov.
Security and Privacy: audit & accountability, awareness training & education, maintenance, security controls, threats
Laws and Regulations: Federal Acquisition Regulation, Federal Information Security Modernization Act