Search Icon White
News Cover Image

NIST Proposes Revised Cyber Guidelines for Contractors Handling Sensitive Information


The National Institute of Standards and Technology (NIST) today announced the publication of revised guidelines on “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” Stakeholders are invited to submit comments on the proposed document until July 14.

The NIST publication provides revised draft changes to NIST SP 800-171 Rev.3, which helps federal contractors understand how to protect and properly handle Controlled Unclassified Information (CUI) when working with government entities.

The changes clarify security requirements to better safeguard data, removing ambiguity and defining parameters in implementing cybersecurity protocols. They also increase flexibility in selected security requirements, and assist organizations in mitigating risk.

“Many of the newly added requirements specifically address threats to CUI, which recently has been a target of state-level espionage,” said Ron Ross, one of the publication’s authors and a NIST fellow. “We want to implement and maintain state-of-the-practice defenses because the threat space is changing constantly. We tried to express those requirements in a way that shows contractors what we do and why in federal cybersecurity. There’s more useful detail now with less ambiguity.”

Submit feedback on the draft guidance to [email protected] using the comment template. NIST is specifically interested in feedback on re-categorized controls; inclusion of organization-defined parameters; and prototype CUI overlay.

NIST anticipates publishing one more draft version of the SP 800-171 Rev.3, followed by a final version in 2024.

Learn more: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations


Jana Zabinski

Senior Director, Communications & Public Relations


[email protected]

Beth Goodbaum

Journalist/Communications Specialist


[email protected]