In this second in our series, we look at the long awaited update to NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” which is expected to be released in late spring 2023. NIST SP 800-171 forms the backbone for contractor security requirements in Department of Defense regulations and the CMMC program. It remains unclear if this update will impact the rollout of the CMMC program. 

The National Institute of Standards and Technology (NIST) sought feedback in July 2022 on improvements to NIST SP 800-171 and the related CUI series of publications. It released an analysis of the public feedback in November 2022. According to NIST, the update will align requirements with NIST SP 800-53, Revision 5 and include an overlay of CUI security requirements to NIST SP 800-53. 

Putting it Into Practice – What to Expect in 2023: We expect to see further efforts to adopt a government-wide regulation protecting Controlled Unclassified Information, based on NIST SP 800-171, in the Federal Acquisition Regulations (FAR). Contractors subject to DoD regulations should continue to monitor for updates to the NIST CUI series and ensure ongoing compliance with these standards.