Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-171A Rev. 3 (Initial Public Draft)

Assessing Security Requirements for Controlled Unclassified Information

Date Published: November 9, 2023
Comments Due: January 26, 2024 (public comment period is CLOSED)
Email Questions to:

Planning Note (12/13/2023):

The public comment period has been extended to January 26, 2024.


Ron Ross (NIST), Victoria Pillitteri (NIST)


This initial public draft is being released along with NIST SP 800-171r3 fpd (final public draft). 

In addition to reflecting the security requirements in NIST SP 800-171r3 fpd, the following significant changes have been made:

  • Restructured the assessment procedure syntax to align with NIST SP 800-53A
  • The addition of a references section to provide source assessment procedures from NIST SP 800-53A
  • A one-time change to the publication version number (skipping “Revision 2”) to align with NIST SP 800-171r3

Submit Your Comments

The public comment period is open now through January 12 January 26, 2024. We strongly encourage you to use this comment template if possible, and submit it to

Reviewers are encouraged to comment on all or parts of draft NIST SP 800-171A, Revision 3. NIST is specifically interested in comments, feedback, and recommendations for the following topics:

  • The alignment of the assessment procedures to NIST SP 800-53A
  • The use of organization-defined parameters (ODPs) in the assessment procedures
  • The ease-of-use of the assessment

Comments received in response to this request will be posted on the Protecting CUI project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed.

Please direct questions and comments to

NOTE: A call for patent claims is included on page iv of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy Inclusion of Patents in ITL Publications.




assessment; assessment method; assessment object; assessment procedure; assurance; basic security requirement; controlled unclassified information; coverage; CUI registry; depth; Executive Order 13556; FISMA; NIST Special Publication 800-171; NIST Special Publication 800-53A; nonfederal organization; nonfederal system; security assessment; security control
Control Families

None selected


Download URL

Supplemental Material:
Comment template (xlsx)
SP 800-171A Assessment Procedures (xlsx)

Document History:
11/09/23: SP 800-171A Rev. 3 (Draft)