New framework added: NIST 800-171 Revision 3

What's new?

Scrut now supports NIST 800-171 Revision 3 as part of our growing library of 60+ compliance frameworks.

The NIST Special Publication 800-171 Revision 3, finalized in May 2024, is the latest iteration of the standard for "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations." Building upon previous versions, Revision 3 introduces greater clarity, aligns with NIST 800-53 Revision 5, and enhances the focus on third-party risk management.

Why it matters

NIST 800-171 Revision 3 is critical for government contractors and other nonfederal organizations handling CUI. It significantly refines and strengthens the security posture required to protect sensitive government information. Key changes include:

• Alignment with NIST 800-53 Rev. 5: Updates to security requirements and families to better reflect the rigorous controls in NIST SP 800-53, Revision 5, enhancing consistency across federal and nonfederal systems.

• New Control Families: Introduction of three new control families: Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR), bringing the total to 17 families and emphasizing a more holistic approach to security.

• Increased Specificity and Clarity: Enhanced clarity and specificity for security requirements to remove ambiguity and improve the effectiveness of implementation and assessment.

• Organization-Defined Parameters (ODPs): Strategic inclusion of ODPs in selected security requirements, offering greater flexibility for organizations to tailor controls to their specific operational context and risk profiles, while requiring agencies to provide clear guidance on these parameters.

• Enhanced Third-Party Risk Management (TPRM): A stronger emphasis on managing risks associated with third-party vendors and the supply chain, reflecting the growing attack surface through external dependencies.

These updates ensure the framework remains robust against evolving cyber threats and provides clear guidance for implementation and assessment, especially important for organizations subject to DFARS clauses.

How it works

You can now find the NIST 800-171 Revision 3 framework in the Frameworks module.

• All requirements, controls, and evidence tasks are pre-configured for quick adoption.

• Controls are mapped to Scrut’s policy templates, existing evidence, and other frameworks (e.g., GDPR, ISO 27001) to reduce duplication.

• Assign control owners, set due dates, and track implementation progress directly within the platform.

• Export reports for auditors, regulators, or internal teams with a click.

Need help?

Your Customer Success Manager (CSM) is always ready to help if you need assistance. Explore all recent product updates → View now.