top of page

NIST SP 800-171 Revision 3 Update: What Federal Contractors Need to Know

The long-awaited update to NIST SP 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," is finally here! Set to be released in the late spring of 2023, this update forms the backbone of contractor security requirements in Department of Defense regulations and the CMMC program. But will it impact the rollout of the CMMC program? We'll have to wait and see.

The National Institute of Standards and Technology (NIST) sought feedback in July 2022 on improvements to NIST SP 800-171 and the related CUI series of publications. After releasing an analysis of the public feedback in November 2022, NIST has announced that the update will align requirements with NIST SP 800-53, Revision 5, and include an overlay of CUI security requirements to NIST SP 800-53.

So, what can we expect in 2023? We can expect to see further efforts to adopt a government-wide regulation protecting Controlled Unclassified Information, based on NIST SP 800-171, in the Federal Acquisition Regulations (FAR). Contractors subject to DoD regulations should continue to monitor for updates to the NIST CUI series and ensure ongoing compliance with these standards. With cyber threats on the rise, it is more important than ever to stay up-to-date with the latest security standards to protect your organization's sensitive information. Don't miss out on the opportunity to ensure your organization's security is top-notch. Stay informed and stay compliant with the updated NIST SP 800-171.

This update impacts all federal contractors and subcontractors that receive and/or create CUI. It is crucial for these organizations to monitor for updates to the NIST CUI series and ensure ongoing compliance with these standards. Failure to comply with NIST SP 800-171 can result in significant consequences, including fines, contract termination, and damage to reputation.

NIST SP 800-171 has a significant impact on the False Claims Act (FCA) for federal contractors and subcontractors. The FCA is a federal law that prohibits individuals and organizations from submitting false or fraudulent claims for payment to the government. Compliance with NIST SP 800-171 is a requirement for all federal contractors and subcontractors that handle Controlled Unclassified Information (CUI).

Under the FCA, contractors can be held liable for false claims if they fail to comply with contractual requirements, such as NIST SP 800-171. This means that if a contractor or subcontractor fails to meet the security requirements outlined in NIST SP 800-171, they could be found to have submitted a false claim for payment to the government. This could result in significant fines and penalties, and even exclusion from future government contracts.

The updated NIST SP 800-171 is a key step in protecting CUI in nonfederal systems and organizations. Visit to track the latest NIST SP 800-171 Revision 3 updates.


bottom of page