What It Is

NIST SP 800-171 Revision 3 is a U.S. government framework providing security requirements for protecting Controlled Unclassified Information (CUI) confidentiality in nonfederal systems. Tailored from SP 800-53 Moderate baseline, it uses a control-based approach focused on scoping to CUI components.

Key Components

• 97-110 requirements across 14-17 families (e.g., Access Control, Audit, Configuration Management; r3 adds Planning, Supply Chain Risk Management)
• Built on FIPS 200 and SP 800-53
• Requires System Security Plan (SSP) and Plan of Action and Milestones (POA&M)
• Assessed via SP 800-171A procedures (examine/interview/test)

Why Organizations Use It

• Contractual mandate via DFARS 252.204-7012 for DoD contractors
• Enables CMMC Level 2 certification and SPRS scoring
• Reduces CUI breach risks, ensures procurement eligibility
• Builds stakeholder trust in federal supply chains

Implementation Overview

• Phased: scoping/gap analysis, SSP/POA&M development, control deployment, continuous monitoring
• Applies to contractors handling CUI; scales by enclave architecture
• Self or third-party assessments; r3 emphasizes ODPs and governance

What It Is

Basel III is the international prudential regulatory framework issued by the Basel Committee on Banking Supervision (BCBS) following the 2007-2009 financial crisis. It strengthens bank resilience through enhanced capital quality and quantity, leverage constraints, and liquidity standards. The risk-based approach integrates minimum ratios with buffers and non-risk-based metrics to address model risks and ensure comparability.

Key Components

• **Pillar 1Capital ratios (CET1 4.5%, Tier 1 6%, Total 8%) plus buffers (Conservation 2.5%, Countercyclical, G-SIB/D-SIB); leverage ratio 3%; LCR and NSFR at 100%.
• **Pillar 2Supervisory review via ICAAP and stress testing.
• **Pillar 3Standardized disclosures for RWA comparability and distribution constraints. Built on three-pillar structure; compliance enforced via ratios, no fixed controls count.

Why Organizations Use It

Banks adopt Basel III for mandatory jurisdictional compliance, reducing systemic risks, and enhancing solvency. It drives strategic balance-sheet optimization, improves funding costs, boosts stakeholder confidence, and mitigates crisis vulnerabilities like liquidity evaporation.

Implementation Overview

Phased enterprise program: gap analysis, data/IT upgrades, model governance, training. Targets internationally active banks globally; requires ongoing reporting, no formal certification but supervisory audits and Pillar 3 disclosures.