The National Institute of Standards and Technology (NIST) published Special Publication 800-171 titled “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” also called NIST SP 800-171 or NIST 800-171 for short.

But what is NIST SP 800-171?

The short answer: NIST SP 800-171 encompasses the technical requirements (including all 110 security controls) required to earn a Cybersecurity Maturity Model Certification (CMMC).

Now, let’s get into the details.

What is NIST?

NIST is the United States agency tasked to advance measurement science, standards, and technology in ways that enhance economic security and improve quality of life. 

The Federal Information Security Modernization Act (FISMA) established NIST as the agency responsible for development of information security standards and guidelines for federal information systems. 

Where does NIST 800-171 come from?

NIST based 800-171 on NIST-800-53, but removed controls (or parts of controls) that were uniquely catered to federal organizations. 

What is the difference between NIST 800-53 and 171?

NIST 800-53 is a catalogue of more than 1,000 security controls intended for federal information systems. The Department of War (DoW) deems only some of these controls necessary for the protection of Controlled Unclassified Information (CUI); these are the controls that apply to NIST 800-171.

Are NIST 800-171 and CMMC the same?

No, NIST 800-171 and CMMC aren’t the same, but they are closely related. CMMC is the certification program and enforcement mechanism all DoW contractors and subcontractors must undergo to handle CUI in support of federal activities. NIST 800-171 holds the controls that must be met to become certified.

Basically, the Defense Federal Acquisition Regulation (DFARS) tells contractors that they must comply with a set of security requirements to handle CUI. Those requirements are standardized in NIST SP 800-171. CMMC verifies that contractors have fully implemented those requirements.

How do I get a NIST 800-171 assessment?

Any organization can use NIST 800-171A to conduct their own self-assessment at any point. As of November 2025, everyone with CUI will be required to have at least a self-assessment. Most defense contractors requiring CMMC Level 2 will be required to have a CMMC Third-Party Assessment Organization (C3PAO) assessment instead.

Self-assessments are conducted pursuant to CMMC via DFARS clause 252.204-7021 when the required status is CMMC Level 2 (Self).

What is NIST 800-171 Revision (rev) 3?

NIST 800-171 was initially released in 2016, making revision essential to strengthening controls against modern threats and refining language to reduce ambiguity.

NIST 800-171 rev 3 specifically has a smaller number of requirements than rev 2. However, under the hood of NIST 800-171A rev 3, (You use 171A to prove that you have fully implemented 171), there is a 32% increase in the number of verification questions that need to be answered during an assessment (like CMMC).

Overall, NIST 800-171 revision 3 is progress in the right direction, even if it comes with a few warts.

Although NIST 800-171 rev 3 and NIST 800-171A rev 3 were released in 2024, they aren’t required for contractors yet. While it’s impossible to know for sure, the soonest it is likely to be enforced by rulemaking is between end of year in 2026 and end of year in 2027.

Here’s 6 things you need to know about rev 3:

1. How many requirements does NIST 800-171 rev 3 have?

NIST 800-171 rev 3 has 97 security requirements. That’s a 12% decrease compared to the 110 requirements in NIST 800-171 rev 2, right? Not exactly.

Under the hood, NIST 800-171 rev 3 is derived from its much bigger brother, NIST 800-53. NIST has decided that 156 of the 287 security controls in the NIST 800-53 rev 5 “moderate baseline” are “directly related to protecting the confidentiality of CUI.”

As a result, the 97 requirements in NIST 800-171 rev 3 partially represents at least 156 distinct security controls. The final number of requirements in NIST 800-171 rev 3 is mostly a function of how NIST decided to merge multiple controls into single, sometimes massive, requirements.

A note on “withdrawn” requirements:

There are 33 “withdrawn” requirements in NIST 800-171 rev 3. However, nearly every withdrawn requirement is simply integrated into the language of other requirements in the standard (something I like to call “the law of the conservation of NIST controls”).

These withdrawals are why the number of controls has decreased from NIST 800-171 rev 2 to rev 3, while the total number of required tasks has increased.

For example:

NIST 800-171 rev 2 includes the requirement to provide security awareness training on insider threats. This requirement (03.02.03) is “withdrawn” by NIST 800-171 rev 3, but it is instead incorporated into 03.02.01.

However, this requirement is “withdrawn” NIST SP 800-171 revision 3.

2. How many requirements does NIST SP 800-171A rev 3 have?

NIST SP 800-171A rev 3 has 422 requirements. In NIST parlance, these are known as “determination statements” (often referred to as “assessment objectives”).

Every security control in NIST SP 800-53 has a corresponding verification procedure in NIST 800-53A (a standalone document). Just like its big brother, NIST SP 800-171 requirements derived from NIST SP 800-53 controls have corresponding verification procedures in NIST SP 800-171A (derived from NIST SP 800-53A).

Important: In order for a security requirement to be considered “fully implemented,” every one of its determination statements needs to be satisfied.

NIST SP 800-171A rev 2 has 320 determination statements corresponding to the 110 requirements in SP 800-171A. The jump to 422 determination statements in NIST SP 800-171A rev 3 is a 32% increase. As noted above, don’t be lulled by the apparent decrease from 110 requirements to 97 requirements between the SP 800-171 revisions; defense contractors must orient themselves to SP 800-171A to ensure the proper level of granularity needed to successful implementation, verification, and CMMC certification.

3. How many Organizationally Defined Parameters (ODPs) does NIST 800-171 rev 3 have?

NIST 800-171 rev 3 has 88 ODPs. Combined with the 422 determination statements in NIST SP 800-171A, defense contractors have 510 items that must be verified in order for all 97 requirements in NIST 800-171 rev 3 to be considered “fully implemented.”

What are OPDs?

ODPs are variables that must be defined in order to make NIST security control measurable and verifiable. Until ODPs are defined, a given set of NIST security requirements (like NIST 800-171) reads like a bad set of Mad Libs.

Organizationally defined parameters in NIST SP 800-171 revision 3 requirement 3.2.1

ODPs in NIST SP 800-171 rev 3 requirement 3.2.1

Who defines ODPs?

As the name implies, “the organization” defines parameters, but which organization that refers to depends. In the case of NIST 800-171, the DoW has published what those ODPs are for R3. 

4. Does NIST SP 800-171 rev 3 have any new control families?

Sort of. NIST SP 800-171 rev 3 has 17 controls families. In comparison, NIST 800-171 rev 2 has only 14 control families.

The three “new” control families in NIST SP 800-171 rev 3 are:

1. Planning (PL)

2. System and Service Acquisition (SA)

3. Supply Chain Risk Management (SR)

Defense contractors who have implemented NIST 800-171 rev 2 have already implemented requirements from the PL (requirement 3.12.3 – SSP) and SA (requirement 3.13.2 – Security Architecture) families.

However, NIST SP 800-171 rev 3 now includes the following requirements:

Planning (PL):

• Policy and Procedures (3.15.1)

• Rules of Behavior (3.15.3)

System and Services Acquisition (SA):

• Unsupported System Components (3.16.2)

• External System Services (3.16.3)

Supply Chain Risk Management (SR):

• Supply Chain Risk Management Plan (3.17.1)

• Acquisition Strategies, Tools, and Methods (3.17.2)

• Supply Chain Requirements and Processes (3.17.3)
  

5. NIST SP 800-171 rev 3 no longer has “nonfederal organizations (NFO) controls”

In previous revisions of NIST SP 800-171, security controls “expected to be routinely satisfied by NFOs without specification” were “tailored” out of the NIST SP 800-53 moderate baseline with the tag “NFO.”

In essence, NIST made more than 60 assumptions about security controls that federal contractors ought to have already had in place.

The problem, of course, is that unless a requirement is specified, there is no guarantee that the requirement will be implemented at all.

For example, policies and procedures are necessary to document management decisions and verify that the security control environment is implemented correctly, operating as intended, and producing the desired outcomes.

However, policies and procedures are an NFO control in NIST SP 800-171 rev 2. As a result, many organizations will fail their assessments under programs like CMMC simply because they didn’t know they were required to maintain comprehensive documentation. Technically, policies aren’t a requirement in SP 800-171 rev 2, but you can’t fully implement SP 800-171r2 without them.

No NFOs in NIST 800-171 rev 3? Good riddance.

6. Does NIST SP 800-171 rev 3 have any new tailoring categories?

NIST SP 800-171 rev 3 introduces a new tailoring category: “Other Related Controls (ORCs).”

When “the outcome of the control related to protecting the confidentiality of CUI is adequately covered by other related controls” they are designated as ORCs.

There are 11 ORCs in NIST SP 800-171 rev 3.

For example:

NIST 800-171 rev 3 lists SR-12 as an “ORC control”:

See: NIST SP 800-171 revision 3 Appendix C “Tailoring Criteria”

See: NIST SP 800-53 revision 5

In the “CUI overlay” included in the supplemental material to NIST SP 800-171 revision 3, NIST indicates that SR-12 is satisfied by the NIST SP 800-53 control MP-6:

See: NIST SP 800-53 rev 5

The NIST 800-53 security control MP-6 is represented as the SP 800-171 security requirement 3.8.3

Clearly, MP-6 refers to procedures that occur prior to disposal while SR-12 refers to the process of secure disposal directly. Obviously, these are closely related, but they are not the same. Instead of merging the two controls, we are left with an open question about how to address SR-12.

While this seems like a convenient decision, I predict that it will cause significant confusion in the world of CMMC assessments due to ORCs being required, but allegedly satisfied, by distinctly different controls (however closely related they may be). Stay tuned.

What’s Next?

 I don’t think defense contractors will be required to implement (and have that implementation assessed by CMMC) for 2 – 3 years. My current ballpark estimate: sometime between the second half of 2026 and the first half of 2027.

Thanks to a 2024 DFARS 252.204-7012 class deviation, defense contractors are required to implement and maintain NIST SP 800-171 rev 2 indefinitely.

Additionally, the CMMC rule specifies that defense contractors will be assessed against the requirements in NIST SP 800-171 rev 2.

For help implementing these controls and pursuing CMMC, reach out to Summit 7