Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST Issues Updated Security Requirements and Assessment Procedures for Protecting Controlled Unclassified Information (CUI)
May 14, 2024

NIST has published the final versions of Special Publication (SP) 800-171r3 (Revision 3), Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and SP 800-171Ar3, Assessing Security Requirements for Controlled Unclassified Information. The security requirements and assessment procedures have been issued concurrently through the Cybersecurity and Privacy Reference Tool (CPRT) to give users additional ways to access the datasets (i.e., via browser, download as spreadsheet, and JSON).

Major updates to SP 800-171r3 include refinements for consistency with SP 800-53r5, such as:

  • Restructured security requirements to show direct alignment with SP 800-53r5 controls
  • Introduction of organization-defined parameters (ODP)
  • New tailoring criteria to reduce potential redundancy and improve clarity
  • Recategorization of controls based on the new tailoring criteria

SP 800-171r3 provides additional outcome-oriented guidance to reduce ambiguity and better support implementation.

NIST is also issuing a CUI Overlay that shows the direct SP 800-53 control item tailoring for the CUI security requirements. Other supplemental resources to assist implementers include an analysis of changes between SP 800-171r2 and SP 800-171r3 and an FAQ.

Similarly, SP 800-171Ar3 includes updates for consistency with the corresponding SP 800-171r3 security requirements and the source SP 800-53Ar3 assessment procedures, including:

  • Modifications to the assessment procedure structure and syntax
  • Inclusion of ODPs to facilitate traceability and usability

In response to the feedback received during the public comment period, additional guidance on conducting security requirement assessments was also included, and a one-time “revision number” change was made for consistency and alignment with SP 800-171r3.

NIST plans to release additional resources through the Online Informative References (OLIR), including crosswalks between SP 800-171r3 and SP 800-53r5, and the Cybersecurity Framework 2.0.

NIST has also issued a News Article, NIST Finalizes Updated Guidelines for Protecting Sensitive Information, about the release.

For more information about the NIST Protecting CUI Project and other resources, see:
https://csrc.nist.gov/Projects/protecting-controlled-unclassified-information. Please direct questions and comments to sec-cert@nist.gov.

Parent Project

See: Protecting CUI

Related Topics

Security and Privacy: assurance, risk assessment, security controls

Laws and Regulations: Federal Information Security Modernization Act

Created May 08, 2024, Updated May 14, 2024