In an effort to aid federal agencies and government contractors in more consistently implementing cybersecurity standards, the National Institute of Standards and Technology (NIST) has updated its draft rules for protecting sensitive unclassified information.


The numerous firms that work with the federal government will be especially interested in the updated draft guidelines, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST Special Publication [SP] 800-171 Revision 3). The SP 800-171 security criteria are mentioned in federal regulations governing the protection of controlled unclassified information (CUI), which includes sensitive data such as health information, information on essential energy infrastructure, and intellectual property. Government programs including important assets, such as design specifications for weapon systems, communications systems, and space systems, are frequently supported by systems that store CUI.


The modifications are made in part to assist these companies in better understanding how to apply the particular cybersecurity precautions described in a related NIST publication called SP 800-53 Rev. 5. In order for organizations to more easily implement the list of technical instruments, or “controls,” in SP 800-53 to achieve the cybersecurity outcomes in SP 800-171, the authors have aligned the terminology of the two publications. 


The update is intended to assist in maintaining consistent defenses against serious threats to information security, according to Ron Ross of NIST. 


Since CUI has recently been the subject of state-level espionage, many of the recently introduced regulations particularly address risks to the institution. Because the threat landscape is always shifting, we want to design and maintain state-of-the-art defenses, according to Ross, a NIST Fellow and one of the report’s authors. “We attempted to articulate those specifications in a way that demonstrates to contractors what we do and why in terms of federal cybersecurity. Less uncertainty and more relevant detail are present now. 


NIST asked for public feedback on the draft recommendations on July 14, 2023.


Important revisions to the draft include: 


Notable updates in the draft include: 


  • Changes to reflect the state-of-practice cybersecurity controls;
  • Revised criteria used by NIST to develop security requirements;
  • Increased specificity and alignment of the security requirements in SP 800-171 Rev. 3 with SP 800-53 Rev. 5, to aid in implementation and assessment; and
  • Additional resources to help implementers understand and analyze the proposed updates.  


The overall result of the adjustments, according to Ross, was to improve the criteria while streamlining the ecosystem of NIST cybersecurity publications. 


“Protecting CUI, including intellectual property, is critical to the nation’s ability to innovate — with far-reaching implications for our national and economic security,” he stated. We require safeguards that are effective enough to do the job. 


Prior to the publication of the final version of SP 800-171 Rev. 3 in early 2024, NIST plans to release at least one additional draft version of the standard. The set of supporting NIST publications on safeguarding controlled unclassified information, including SPs 800-171A (security requirement assessment), SP 800-172 (enhanced security requirements), and SP 800-172A (enhanced security requirement assessment), will be revised by the authors after the release of the final version. 


Last June 6, 2023, NIST hosted a webinar to introduce the updates to SP 800-171. The Protecting CUI project website will update with registration details the following week.


The recent revision of NIST Special Publication 800-171 marks a significant milestone in the world of cybersecurity and data protection. As the digital landscape continues to evolve, it’s imperative that organizations adapt and enhance their security measures to safeguard sensitive information effectively. The updated guidelines provide a more comprehensive and up-to-date framework to address the ever-growing threats to data integrity and confidentiality.


At Intelecis, we recognize the importance of NIST compliance and understand the challenges that businesses face in navigating this complex landscape. Our mission is to empower organizations to have a seamless NIST compliance journey, ensuring that they can meet the rigorous standards outlined in SP 800-171 while also enhancing their overall cybersecurity posture.


Our team of experts is well-versed in the latest NIST guidelines and can provide tailored solutions to address your organization’s unique needs. Whether you are just beginning your compliance journey or looking to enhance your existing security measures, Intelecis is here to assist you every step of the way. Contact us today!