Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Open for Public Comment: Draft NIST SP 800-171, Revision 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
May 10, 2023

The initial public draft (IPD) of NIST Special Publication (SP) 800-171, Revision 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, is available for public comment and review through July 14, 2023.

This update to NIST SP 800-171 represents over one year of data collection, technical analyses, customer interaction, redesign, and development of the security requirements and supporting information for the protection of Controlled Unclassified Information (CUI). Many trade-offs have been made to ensure that the technical and non-technical requirements have been stated clearly and concisely while also recognizing the specific needs of both federal and nonfederal organizations.

Significant changes NIST SP 800-171, Revision 3 include:

  1. Updates to the security requirements and families to reflect updates in NIST SP 800-53, Revision 5 and the NIST SP 800-53B moderate control baseline
  2. Updated tailoring criteria
  3. Increased specificity for security requirements to remove ambiguity, improve the effectiveness of implementation, and clarify the scope of assessments
  4. Introduction of organization-defined parameters (ODP) in selected security requirements to increase flexibility and help organizations better manage risk
  5. A prototype CUI overlay

In addition to the draft publication, NIST has issued an FAQ, a detailed analysis of the changes between Revision 2 and Revision 3, and a prototype CUI Overlay. All are available on the publication details page, under "Supplemental Material."

NIST will also host a webinar on June 6, 2023 to provide an overview of the significant changes to SP 800-171, Revision 3. Registration information will be announced separately through a GovDelivery announcement and on the Protecting CUI project site.

Submit Your Comments

The public comment period is open now through July 14, 2023. See the publication details for a copy of the draft and instructions for submitting comments.

Reviewers are encouraged to comment on all or parts of draft NIST SP 800-171, Revision 3. NIST is specifically interested in comments, feedback, and recommendations for the following topics:

  • Re-categorized controls (e.g., controls formerly categorized as NFO)
  • Inclusion of organization-defined parameters (ODP)
  • Prototype CUI overlay

Comments received in response to this request will be posted on the Protecting CUI project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed. Please direct questions and comments to

NOTE: A call for patent claims is included on page ii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy Inclusion of Patents in ITL Publications.

Also see the related NIST news article, NIST Revises SP 800-171 Guidelines for Protecting Sensitive Information.
Created May 08, 2023, Updated May 10, 2023