Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

NIST SP 800-171 R3: An Overview of the Changes

NIST SP 800-171 R3: An Overview of the Changes

Blog Article Published: 01/09/2024

Originally published by Schellman.

In the latest revision of documents pertinent to the ongoing CMMC countdown, NIST SP 800-171 R3 has been released. Though there were only a handful of changes in this new version, there were some significant ones regarding the assessment practices and their presentation that those monitoring the progress of CMMC should know.

Why these changes? At a high level, NIST endeavors to eventually align the 800-171 model to 800-53, but as the latter framework is notably more involved than the former, to maintain the spirit of 800-171 and the protection of Controlled Unclassified Information (CUI), NIST 800-171 will essentially become a subset overlay to NIST 800-53 (in the future).

That’s why the assessment practices are changing somewhat in this latest revision—in many cases, organization-defined parameters (referred to as “ODP” in the new NIST documentation) are being added to increase flexibility and help organizations better manage risk. Several practices are also being removed or consolidated, while some altogether new practices are being added.

We’re going to break down the changes in NIST SP 800-171 R3 by family. Though more changes will surely come eventually, with this information, you’ll be able to go ahead and get started tailoring your approach.

NIST SP 800-171 R3 Updates

NIST SP 800-171 R3 Practice Family Changes

As it relates to the assessment practices, R3 has added, removed, and consolidated many of the practices from Revision 2. These changes to the assessment practices are summarized by practice family as follows:

Practice Family



Access Control


  • 3.1.13, 3.1.14, and 3.1.15 (Remote Access) into 3.1.12
  • 3.1.17 (Wireless Access Protection) into 3.1.16
  • 3.1.19 (Mobile Device Protection) into 3.1.18


3.1.23 added to address session logout following a period of inactivity—this new practice is essentially an extension of previously existing practice 3.1.11.


Configuration Management


3.4.7 (Prevention of Non-Essential Functionality) into 3.4.6


Identification and Authentication


  • 3.5.6 (Disabling Identifiers After a Period of Inactivity)
  • 3.5.8 (Password Reuse)


3.5.9 and 3.5.10 (Temporary Passwords and Password Encryption) into 3.5.7


3.5.12 (Authenticator Management) regarding controls for managing authenticators which had previously been covered under other practices.




3.7.1 (Performance of System Maintenance) has been reclassified as NCO (or, not directly related to protecting the confidentiality of CUI).


  • 3.7.2 (Control of Tools, Techniques, Mechanisms, and Personnel Within The Performance Of Maintenance) into 3.7.4 and 3.7.6
  • 3.7.3 (Sanitization of Disposed Equipment) into 3.8.3


Media Protection


  • 3.8.6 (Media Accountability) into 3.8.5
  • 3.8.8 (Use of Portable Storage Devices) into 3.8.7


Physical and Environmental Protection


3.10.3, 3.10.4, and 3.10.5 (Facility Access by Visitors) have all been incorporated into a new practice, 3.10.7 for Physical Access Control.


3.10.8 (Physical Access to Transmission Lines (e.g., network cables and devices, etc.) and Output Devices (e.g. printers, scanners, etc.).


Risk Assessment


3.11.3 (Vulnerability Remediation) into 3.11.2

3.11.4 (Response from Risk Assessments)

3.12 – Security Assessment


3.12.4 (Creation and Management of the System Security Plan) into 3.15.2


  • 3.12.5 (Independent Assessment): Addresses the potential conflict of interest that might exist when an organization’s system management and security controls would be assessed by the same individuals who are managing them—now, independent assessors are required to evaluate those controls.
  • 3.12.6 (Information Exchange): Requires the documenting and secure managing of the exchange of CUI between organizations (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual).
  • 3.12.7 (Internal System Connections): Deals with the authorization and periodic review of intersystem connections within an organization.


System and Communications Protection


  • 3.13.2 (Use Of Architectural Designs, Software Development Techniques, and Systems Engineering Principles to Promote Effective Security) into 3.16.1
  • 3.13.5 (Subnetting Publicly Available Network Segments) into 3.13.1
  • 3.13.16 (Protection of CUI at Rest) into 3.13.8


3.13.14 (Control of VoIP Technologies), as it represents a technology-specific practice.


  • 3.13.17: Addresses the protection of internal network traffic routing to external points over a designated proxy server.
  • 3.13.18: Regards control access points into the system and incorporates portions of the former 3.1.14


System and Information Integrity


  • 3.14.4 and 3.14.5 (Updating Malicious Code Mechanisms and Scanning of Systems) into 3.14.2
  • 3.14.7 (Identification of Unauthorized Systems) into 3.14.6


3.14.8: Addresses the control of spam or unsolicited email messages.

New Families in NIST SP 800-171 R3

Aside from these changes, some entirely new practice families were also added to ensure a more comprehensive assessment, changing the total number of families to be assessed from 14 to 17.Those three new families are:

  • 3.15 – Planning
  • 3.16 – System and Services Acquisition
  • 3.17 – Supply Chain Risk Management

New Practice Family




  • 3.15.1 (Policy and Procedures): States that an organization must develop and document the policies and procedures associated with achieving compliance with 800-171 and that those documents are routinely reviewed and updated.
  • 3.15.2 (System Security Plan): Not a “new” practice so much as it is a housekeeping item that has moved this requirement from 3.12.4.
  • 3.15.3 (Rules of Behavior): Requires that the organization define rules describing the responsibilities and expected behavior regarding usage and the handling of CUI for individuals requiring access to the system.


System and Services Acquisition

  • 3.16.1 (Security Engineering Principles): Specifies that an organization apply systems security engineering principles in the specification, design, development, implementation, and modification of the system and system components, including tactics such as:
    • Layered protections in development
    • Security policies, architecture, and controls as the foundation for design
    • Incorporation of security requirements into the system development life cycle
    • Physical and logical security boundaries
    • Training for developers on how to build trustworthy secure software
  • 3.16.2 (Unsupported System Components): Stipulates that the organization must replace system components that are no longer supported by the developer, vendor, or manufacturer, or provide options for alternative sources for continued support for unsupported components.
  • 3.16.3 (External System Services): Requires that any providers of external system services comply with the organization security requirements, with documentation and ongoing oversight for those external services.


Supply Chain Risk Management

  • 3.17.1 (Supply Chain Risk Management Plan): Requires a plan for managing supply chain risks associated with the development, manufacturing, acquisition, delivery, operations, maintenance, and disposal of the system, system components, or system services.
  • 3.17.2 (Acquisition Strategies, Tools, and Methods): Instructs the organization to develop and implement acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks.
  • 3.17.3 (Supply Chain Controls and Processes): Requires that the organization define processes for identifying and addressing weaknesses or deficiencies in their supply chain and employ controls to protect those risks, thus limiting the harm or consequences from supply chain disruption.
  • 3.17.4 (Component Disposal): An extension of 3.8.3 concerned with the disposal of media containing CUI, expands the scope to include the disposal of system components, documentation, or tools containing CUI.

Though R3 essentially retains all of the practices from Revision 2, because redundant practices have been removed and related practices are being consolidated into single practices as distinct assessment objectives—together with the families and practices that are being added—the overall scope of a R3 assessment will increase relative to Revision 2. R3 still has a total of 110 practices with which an organization subject to NIST 800-171 must comply.

What to Expect From NIST SP 800-171 Moving Forward

Up-to-date information concerning developments in NIST SP 800-171 R3 is available at the NIST website, along with other resources that provide further detail concerning the changes that are taking place, including tools to help organizations assess the impact of Release 3 on their compliance initiatives.

Make sure to check out our other in-depth content that can help you get ready for CMMC:

Share this content on your favorite social network today!