Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-171 Rev. 3 (Final Public Draft)

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Date Published: November 9, 2023
Comments Due: January 26, 2024 (public comment period is CLOSED)
Email Questions to:


Ron Ross (NIST), Victoria Pillitteri (NIST)


This update to NIST SP 800-171 represents over one year of data collection, technical analyses, customer interaction, redesign, and development of the security requirements and supporting information for the protection of Controlled Unclassified Information (CUI). Many trade-offs have been made to ensure that the technical and non-technical requirements have been stated clearly and concisely while also recognizing the specific needs of both federal and nonfederal organizations.

In response to the 1600+ comments received on the initial public draft and its supporting resources, NIST continued to refine the security requirements to:

  1. Reduce the number of organization-defined parameters (ODP)
  2. Reevaluate the tailoring categories and tailoring decisions
  3. Restructure and streamline the discussion sections

Additional files include an FAQ, a detailed analysis of the changes between Revision 2 and Revision 3, and a prototype CUI Overlay.

Concurrently, the initial public draft (ipd) of NIST SP 800-171Ar3 (Revision 3), Assessing Security Requirements for Controlled Unclassified Information, is also available. 

Submit Your Comments

The public comment period is open now through January 12 January 26, 2024. We strongly encourage you to use this comment template if possible, and submit it to

Reviewers are encouraged to comment on all or parts of draft NIST SP 800-171, Revision 3. NIST is specifically interested in comments, feedback, and recommendations for the following topics:

  • Re-categorized controls (e.g., controls formerly categorized as NFO)
  • New tailoring criterion (e.g., other related controls [ORC])
  • Inclusion of organization-defined parameters (ODP)
  • New or revised requirements
  • Prototype CUI overlay

Comments received in response to this request will be posted on the Protecting CUI project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed.

Please direct questions and comments to

NOTE: A call for patent claims is included on page iv of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy Inclusion of Patents in ITL Publications.




Controlled Unclassified Information; Executive Order 13556; FIPS Publication 199; FIPS Publication 200; FISMA; NIST Special Publication 800-53; nonfederal organizations; nonfederal systems; organization-defined parameter; security assessment; security control; security requirement
Control Families

None selected