Today, the National Institute of Standards and Technology ("NIST") published Special Publication 800-171, Revision 2, Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations.
According to the press release, NIST SP 800-171 Rev. 2contains only minor editorial changes and does not change any of the basic and derived security requirements under the framework:
Revision 2 provides minor editorial changes in Chapters One and Two, and in the Glossary, Acronyms, and References appendices. There are no changes to the basic and derived security requirements in Chapter Three.
As many defense contractors are aware, NIST SP 800-171 contains the security controls that contractors must currently self-certify compliance with when their contracts include DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.
NIST SP 800-171 also serves as a foundational element in the Department of Defense's new CMMC framework (i.e., contractors assessed at CMMC Level 3 will be compliant with NIST SP 800-171). When the CMMC is fully implemented, all defense contractors will be required to obtain a third-party assessment of their cybersecurity posture to be eligible to compete for defense contracts.