Listen to this post

The National Institute of Standards and Technology is updating the security standards that govern the protection of sensitive government information. NIST recently released an initial public draft for comment. The document will be the third version of its existing standard (NIST SP 800-171), Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The comment period closes July 14, 2023.

NIST SP 800-171 applies to entities that handle or store government data in their systems under government projects. It forms the baseline for data security requirements those entities must meet. Included in the standard are best practices for protection of sensitive information in company systems.

As we wrote in our sister blog, this proposed third version includes new and revised requirements and removes some outdated requirements. Some examples of new requirements include requiring organizations to:

  • Develop and implement methods to mitigate supply chain risks;
  • Establish a process for identifying or addressing weaknesses in the supply chain;
  • Provide incident response training to users;
  • Document an inventory of system components;
  • Limit the number of external network connections to the system;
  • Route internal network communications to external networks through an authenticated proxy server; 
  • Develop system and component configurations for individuals traveling to high-risk areas;
  • Implement spam protection mechanisms at designated locations within the system to detect and act on unsolicited messages.

NIST anticipates releasing one more draft before publishing the final version in early 2024.

Putting it into Practice: The changes NIST has made to this standard mirror what we are seeing in other industries and reflect growing focus on data security. Those interested can make comments before the deadline to We will be continuing to track this development and monitor for the final version.