NIST 800-171 Rev 3 Class Deviation for Controlled Unclassified Information

In early May 2024, the US DoD (Department of Defense) issued a class deviation that suspends the application of new cybersecurity requirements for Controlled Unclassified Information (CUI). The previous requirements will continue to apply until further communication.

On May 14, 2024, the National Institute of Standards and Technology (NIST) published Revision 3 of Special Publication (SP) 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. SP 800-171 describes the controls that government contractors must put in place when processing, storing or transmitting CUI. The document is divided into areas, called families (for example Access Control, Incident Response and Risk Assessment), with several controls included in each family.

The emphasis of the publication is on digital data, although it also includes requirements for the protection of physical information, such as limiting access to systems and facilities to authorized individuals.

Some of the important changes introduced by Revision 3 are:

• Three new families: Planning, System and Services Acquisition, and Supply Risk Management
• 19 new requirements across ten families
• Withdrawal or consolidation of 33 requirements
• A more detailed description of each requirement, with the addition of references to support guidance
• The introduction of organization-defined parameters (ODPs), which allow individual agencies to set their own criteria for identified controls.

The impact of Revision 3 is potentially significant for Defense Industrial Base (DIB) contractors, as they are required by the Defense Federal Acquisition Regulation Supplement (DFARS)to implement the SP 800-171 version that is currently “in effect at the time the solicitation is issued,” if they want to bid on a contract.

The recent class deviation provides a blanket exemption to that rule and confirms that Revision 2 remains the standard of reference for the time being. By suspending compliance to NIST 800-171 Revision 3, the DoD is allowing for a more gradual transition, while preventing conflicts with the upcoming Cybersecurity Maturity Model Certification (CMMC) program, which is aligned with NIST 800-171 Revision 2 and is expected to be effective in the coming months.

The exemption granted by the DoD currently has no end date: Revision 2 will remain acceptable until “rescinded.” However, contractors within the DIB should continue to implement Revision 2 in order to comply with the upcoming CMMC framework and also be mindful that the implementation of Revision 3 has simply been postponed and will be required in the near future.