Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-171B (Initial Public Draft)

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets

Date Published: June 2019
Comments Due: August 2, 2019 (public comment period is CLOSED)
Email Questions to:


Ron Ross (NIST), Victoria Pillitteri (NIST), Gary Guissanie (IDA), Ryan Wagner (IDA), Richard Graubart (MITRE), Deborah Bodeau (MITRE)


Draft NIST SP 800-171B was developed in the spring of 2019 as a supplement to NIST SP 800-171. This new document offers additional recommendations for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations where that information runs a higher than usual risk of exposure. When CUI is part of a critical program or a high value asset (HVA), it can become a significant target for high-end, sophisticated adversaries (i.e., the advanced persistent threat (APT)). In recent years, these critical programs and HVAs have been subjected to an ongoing barrage of serious cyberattacks, prompting the Department of Defense to request additional guidance from NIST.

The enhanced security requirements are to be implemented in addition to the basic and derived requirements in NIST SP 800-171, since the basic and derived requirements are not designed to address the APT.  The enhanced security requirements apply only to components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components when the designated CUI is contained in a critical program or HVA. The enhanced security requirements are only applicable for a nonfederal system or organization when mandated by a federal agency in a contract, grant, or other agreement.

Submitting comments:

  • Draft SP 800-171B: All public comments received on Draft NIST SP 800-171B will be posted on both the Protecting CUI project and docket no. NIST-2019-0002 without change or redaction, so commenters should not include information they do not wish to be posted (e.g., personal or business information). We encourage you to use the comment template provided when submitting your comments. Comments on Draft SP 800-171B by July 19, 2019 has been extended to Friday, August 2, 2019. Submit comments to
  • DoD Cost Analysis for Draft SP 800-171B: The DoD has completed a cost analysis to provide stakeholders insight into the estimated cost of implementing the enhanced security requirements in Draft NIST SP 800-171B. The cost analysis is available for review and comment at the publication details link below. Please submit any comments regarding the DoD cost analysis review by July 19, 2019 to docket no. DOD-2019-OS-0072.
  • Draft SP 800-171 Rev. 2: The comment period for Revision 2 of SP 800-171 is also open until July 19, 2019 has also been extended to Friday, August 2, 2019.

NOTE: A call for patent claims is included on page v of Draft SP 800-171B. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.



advanced persistent threat; basic security requirement; contractor systems; Controlled Unclassified Information; CUI Registry; derived security requirement; enhanced security requirement; Executive Order 13556; FIPS Publication 199; FIPS Publication 200; FISMA; NIST Special Publication 800-53; nonfederal organizations; nonfederal systems; security assessment; security control; security requirement
Control Families

None selected