Loading...
NIST SP 800-171 Rev. 3 — Protecting Controlled Unclassified Information
NIST SP 800-171 defines security requirements for protecting Controlled Unclassified Information (CUI) in nonfederal systems. Revision 3, released May 2024, adds 3 new control families (Planning, System Acquisition, Supply Chain) for 119 total controls across 14 families. Mandatory for all DoD contractors under DFARS 252.204-7012 and aligned with CMMC 2.0.
119
Controls
14
Families
3 New
In Rev. 3
DoD
Mandatory For
Account management, access enforcement, remote and wireless access controls, and identification/authentication for CUI systems.
Audit events and content requirements, configuration baselines, change management, and least functionality for CUI environments.
Incident handling and reporting procedures, system maintenance controls, and maintenance personnel authorization for CUI systems.
Vulnerability scanning, risk assessment, security assessment procedures, and plan of action and milestones (POA&M) management.
New in Revision 3: Supply chain risk management, acquisition planning, and system development life cycle policies for CUI protection.
Identify all systems processing, storing, or transmitting Controlled Unclassified Information.
Assess current implementation state and calculate the Supplier Performance Risk System (SPRS) score.
Create a System Security Plan documenting how each of the 119 controls is implemented.
Document planned remediation activities, timelines, and milestones for any unmet controls.
Prepare for CMMC Level 2 assessment aligned with Rev. 3 control requirements.
Ongoing assessment, POA&M updates, and annual self-attestation in SPRS.