SP 800-171 Rev. 2: Understanding the New Cybersecurity Standard for Defense Contractors

SP 800-171 Rev. 2 is a set of cybersecurity requirements developed by the National Institute of Standards and Technology (NIST) to protect CUI stored on non-federal information systems. Released in 2020 (updates to January 28, 2021), it aligns with NIST’s Cybersecurity Framework (CSF) and aims to safeguard sensitive information, such as technical data, export-controlled information, or sensitive government information.

Key Changes in SP 800-171 Rev. 2

The updated standard expands the previous requirements in several ways. First, it aligns better with the NIST CSF, providing a comprehensive and risk-based approach to cybersecurity. Second, it has more security needs, including requirements for secure password management, vulnerability management, and incident response. Third, it clarifies several requirements, such as network security, encryption, and access control.

Implications for Defense Contractors

Defense contractors must comply with SP 800-171 Rev. 2 if they store, process, or transmit CUI on their systems. The new standard expands the previous requirements, making it more challenging for organizations to meet the standard’s requirements. Failure to comply can result in significant consequences, such as financial penalties and loss of business.

Meeting the Requirements of SP 800-171 Rev. 2

To meet the requirements of SP 800-171 Rev. 2, organizations must take several steps:

Assess Their Current Security Posture

Organizations should assess their current security posture and identify areas where they may need to make improvements, such as updating technical controls, improving incident response processes, and implementing additional security measures.

Develop a Plan to Implement the Standard

Organizations need to make a plan that fits their security needs and resources to follow the updated standard. This plan should include a timeline, budget, and clear goals.

Implement the Standard

Organizations should implement the security measures outlined in the standard, including technical controls, incident response processes, and security policies.

Monitor and Review

Organizations need to check their security often to ensure they are following the rules. This means they should assess their security, test how they respond to problems, and update their security when needed.

In conclusion, SP 800-171 Rev. 2 is crucial for defense contractors who deal with sensitive information. The updated standard includes many parts of information security, such as controlling access to information and handling problems that might come up. Following these rules is essential to keep important information safe and protect national security. Contractors who haven’t started following the new rules should start as soon as possible.

Share in Social Media

case studies

See More Case Studies

microsoft 365 GCC High

What is GCC High?

Microsoft 365 Government Community Cloud (GCC) High is a specialized cloud solution tailored for U.S. federal, state, local, tribal, and territorial government organizations, as well as for contractors who hold or process data subject to specific security regulations. In this article, we will explore the features, benefits, and differences between Microsoft 365 GCC High and other Office 365 offerings.

Learn more
Contact us

Partner with Us for Compliance & Protection

We’re happy to answer any questions you may have and help you determine which of our services best fit your needs.

Your benefits:
What happens next?

Schedule an initial meeting


Arrange a discovery and assessment call


Tailor a proposal and solution

How can we help you?