NIST 800-171 Rev 3 Class Deviation for Controlled Unclassified Information
In early May 2024, the US DoD (Department of Defense) issued a class deviation that suspends the application of new cybersecurity requirements for Controlled Unclassified Information (CUI). The previous requirements will continue to apply until further communication.
The new security requirements for CUI
On May 14, 2024, the National Institute of Standards and Technology (NIST) published Revision 3 of Special Publication (SP) 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. SP 800-171 describes the controls that government contractors must put in place when processing, storing or transmitting CUI. The document is divided into areas, called families (for example Access Control, Incident Response and Risk Assessment), with several controls included in each family.
The emphasis of the publication is on digital data, although it also includes requirements for the protection of physical information, such as limiting access to systems and facilities to authorized individuals.
Some of the important changes introduced by Revision 3 are:
- Three new families: Planning, System and Services Acquisition, and Supply Risk Management
- 19 new requirements across ten families
- Withdrawal or consolidation of 33 requirements
- A more detailed description of each requirement, with the addition of references to support guidance
- The introduction of organization-defined parameters (ODPs), which allow individual agencies to set their own criteria for identified controls.
Impact of Rev 3 on DIB contractors
The impact of Revision 3 is potentially significant for Defense Industrial Base (DIB) contractors, as they are required by the Defense Federal Acquisition Regulation Supplement (DFARS)to implement the SP 800-171 version that is currently “in effect at the time the solicitation is issued,” if they want to bid on a contract.
The recent class deviation provides a blanket exemption to that rule and confirms that Revision 2 remains the standard of reference for the time being. By suspending compliance to NIST 800-171 Revision 3, the DoD is allowing for a more gradual transition, while preventing conflicts with the upcoming Cybersecurity Maturity Model Certification (CMMC) program, which is aligned with NIST 800-171 Revision 2 and is expected to be effective in the coming months.
What does the DoD class deviation mean to your business?
The exemption granted by the DoD currently has no end date: Revision 2 will remain acceptable until “rescinded.” However, contractors within the DIB should continue to implement Revision 2 in order to comply with the upcoming CMMC framework and also be mindful that the implementation of Revision 3 has simply been postponed and will be required in the near future.
NSF-ISR's Security Gap Assessment
How NSF Can Help You
What’s New with NSF
iNADO Partners with NSF to Support Members and Athletes
May 27, 2026iNADO is pleased to welcome NSF’s expertise and experience in support of its members and the athletes they serve
NSF Ends UK’s Three-Year Testing Gap with REG 31 Testing Designation
May 20, 2026NSF’s Oakdale laboratory becomes the UK’s sole facility offering comprehensive BS 6920 and REG 31 testing, closing a critical drinking water safety gap.
Tangent® Materials Announces Industry First: Tangent PolySheet™ CB Earns Certification to NSF 537, Becoming the First PFAS-Free NSF Standard 51 Food Equipment Material
May 20, 2026New food-grade synthetic cutting-board sheet, engineered from the ground up without per- and polyfluoroalkyl substances (PFAS), establishes a new materialsafety benchmark for food-contact and food-equipment applications.
NSF Expands Food Equipment Portfolio with Electrical Safety Testing and Certification
April 30, 2026Manufacturers now have a “one-stop-shop” for both sanitation and electrical safety certification, enabling market expansion and regulatory compliance.