NIST 800-171 Revision 3 + GSA's January 2026 CUI mandate — what changed for non-DoD contractors

NIST Special Publication 800-171 Revision 3 — the standard for protecting Controlled Unclassified Information in non-federal systems — went final in May 2024. On January 5, 2026, the General Services Administration introduced a compliance framework requiring non-federal contractors handling CUI to implement Rev 3 controls, expanding the standard's reach beyond DoD-driven CMMC contracts. Coverage from Holland & Knight, NIST, and Crowell & Moring.

What's new in Rev 3

Three major additions vs. Rev 2:

• Three new control families covering Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR). Nine new controls total.
• 49 Organization-Defined Parameters (ODPs) — controls where the agency or contracting officer specifies the exact parameter value (frequency, threshold, etc.). DoD has issued specific ODP values; GSA and other agencies are doing the same.
• "Periodically" removed. NIST stripped the ambiguous "periodically" language from controls in favor of specific cadence requirements (often defined via ODP).

Why GSA's January 2026 move matters

Until recently, NIST 800-171 compliance was largely a DoD ecosystem requirement (via CMMC and DFARS 252.204-7012). GSA's January 5, 2026 framework extends the requirement to GSA-managed contracts handling CUI — which spans civilian agencies broadly.

Practical impact: thousands of contractors that previously felt 800-171 was a "DoD problem" now have to implement it for GSA-managed work. Any contractor on Multiple Award Schedule contracts handling CUI is potentially in scope.

How Rev 3 interacts with CMMC

CMMC Level 2 is built on NIST 800-171. Specifically: CMMC Level 2 requires implementation of the 110 security requirements from 800-171 Rev 2. The DoD has not yet formally migrated CMMC to Rev 3 (it's still on Rev 2 as of writing).

That creates a transitional gap: contractors implementing 800-171 today should be doing it to Rev 3, even if CMMC technically scores against Rev 2. Rev 3-aligned implementations satisfy both, plus the new GSA framework.

Supply Chain Risk Management family — the sleeper

The new SR family is the one that requires fresh process design rather than just policy updates. It includes:

• Documented supply chain risk management plan
• Supplier identification and assessment processes
• Acquisition strategy and process integration
• Notification of compromise from suppliers
• Tampering detection

Firms with deep supply chains (electronics, specialty manufacturing, IT integration) face the largest implementation lift.

What to do this week

• Inventory which of your contracts handle CUI. If any are GSA-managed, the January 2026 framework applies.
• If you've implemented 800-171 Rev 2, do a delta gap analysis against Rev 3. The biggest gaps will be in the new PL, SA, and SR families.
• For contracts under DoD: continue tracking CMMC Phase 2 (November 10, 2026 — see our CMMC piece) but build Rev 3-aligned, not just Rev 2.
• For ODP-driven controls: when bidding new contracts, request the agency-specific ODPs in writing. Don't guess.

Sources

• NIST SP 800-171 Rev 3 — official final version
• Holland & Knight — GSA's New CUI Security Requirements
• Crowell & Moring — NIST Releases Final Version of NIST SP 800-171, Revision 3
• Government Contracts Law — DoD Unveils NIST SP 800-171 Revision 3 ODPs