Adoption patterns across civilian agencies (status quo)

1. Policy & guidance references:
   • GSA’s CUI Guide points to 800-171 when CUI may be present outside federal systems. U.S. General Services Administration
   • HHS issued an HHSAR class deviation: use 800-53 if the contractor operates a system on behalf of the agency; use 800-171 when the CUI is on an internal contractor system. This is a clear, practical split that many follow informally. HHS.gov
2. Contract clause activity (agency-specific):
   • NASA revised/uses NFS 1852.204-76 and issued CUI-implementation class deviations (PCD 21-01/21-01B) to tighten security expectations for unclassified IT and align with its CUI program, enabling 800-171-style safeguarding for contractor systems handling CUI. Acquisition.gov+2hq.nasa.gov+2
3. Variation & gaps (pre-FAR rule):
   • Without a single, government-wide FAR clause (yet), agencies have diverged in how (and how strongly) they impose 800-171—some by policy, some by bespoke contract language, and others minimally (e.g., relying only on FAR 52.204-21’s “basic safeguarding” controls when CUI is not in scope). Acquisition.gov

What’s changing (2025+)

• FAR CUI Rule is moving: The FAR Council issued a proposed rule on January 15, 2025 to standardize CUI handling across all federal contracts—not just DoD—explicitly positioning agencies to flow 800-171 where CUI is involved. It’s been progressing toward a final rule through 2025 (appearing in the Spring 2025 Unified Agenda). Expect more uniform civilian adoption once finalized. Federal Register+2Greenberg Traurig+2
• DoD remains the maturity benchmark: DFARS 252.204-7012/7019/7020 and the DoD Assessment Methodology (SPRS scoring) provide a model for oversight that civilian agencies may partially emulate after the FAR CUI rule is final. Acquisition.gov+2Acquisition.gov+2
• 800-171 Rev. 3 published: NIST released Rev. 3 (2024), signaling evolution ahead; agencies will align their clauses/policies over time. NIST Computer Security Resource Center

Practical implications (for contractors working with civilian agencies)

• Assume 800-171 when CUI is present: If a civilian contract includes CUI, plan on implementing 800-171 controls and documenting them in an SSP & POA&M—even if the clause language varies. NIST Computer Security Resource Center
• Differentiate hosting scenarios: If you’re running a system on behalf of the agency (an O&M or “agency system”), expect 800-53 baselines; if it’s your environment with CUI, expect 800-171. HHS’s deviation makes this split explicit. HHS.gov
• Watch clauses beyond “basic safeguarding”: FAR 52.204-21 alone isn’t an 800-171 surrogate; it’s a minimum set of 15 controls for Federal Contract Information (FCI), not CUI. If CUI is in play, 800-171 should be flowed down separately. Acquisition.gov

Common challenges we see

• Clause inconsistency & ambiguity: Until the FAR CUI rule is final, solicitations may mix policies, guides, and legacy language—raising interpretation risk. (Contrast this with DoD’s clearer DFARS path.) RegInfo.gov+1
• Verification/oversight unevenness: DoD uses SPRS scores and can perform Medium/High assessments. Civilian agencies often lack an equivalent mechanism today, though the forthcoming FAR framework is expected to tighten expectations. Acquisition.gov
• Grant/cooperative agreements: Not all civilian CUI flows are classic procurement; 800-171 requirements may surface in assistance terms without the same compliance machinery, creating gray areas. (NIST’s scope statement still applies: agencies should use 800-171 when CUI sits in nonfederal systems.) NIST Computer Security Resource Center

Outlook (next 12–24 months)

• Convergence on a uniform baseline: Once the FAR CUI rule is finalized, expect most civilian agencies to consistently require 800-171 whenever CUI is involved—closing the “policy gap” and reducing inter-agency variability. Federal Register+1
• More explicit scoping language: You’ll see clearer contract language differentiating 800-53 (agency systems / on-behalf-of) vs. 800-171 (contractor internal systems with CUI)—mirroring HHS’s approach and NASA’s CUI implementation moves. HHS.gov+1
• Preparation for Rev. 3: Agencies and contractors will start mapping from Rev. 2 to Rev. 3 requirements and any agency-specific overlays as timelines are set. NIST Computer Security Resource Center

Quick examples you can cite internally

• NASA: Updated clause 1852.204-76 and issued CUI class deviations to strengthen unclassified IT security for contractor systems—an early mover among civilian agencies. hq.nasa.gov+1
• HHS: Policy split—800-53 for systems operated on behalf of HHS; 800-171 for contractor internal systems processing CUI. HHS.gov
• GSA: CUI program guide acknowledges 800-171 for nonfederal systems handling CUI. U.S. General Services Administration

If you want, I can turn this into a one-page internal brief (with a “what to do now” checklist and a Rev.2→Rev.3 mapping row) tailored for SecureITSM proposals and SOW boilerplate.

You said:

Redo the analysis, exclude any reference to the department of Defense. Include DHS and federal GWAC contracts.

Update

• NIST 800-171 is the federal government’s recommended baseline for safeguarding CUI in contractor environments; agencies flow it when CUI leaves federal systems. NIST Computer Security Resource Center
• DHS took a distinct path: its HSAR clause requires “adequate security” via DHS policies and procedures (not a blanket 800-171 citation), plus tighter incident reporting—functionally overlapping 800-171 but governed by DHS rules. Acquisition.gov+2Federal Register+2
• GSA (GWAC owner) publishes guidance that explicitly references 800-171/800-172 for nonfederal systems handling CUI—so GWAC task orders that involve CUI commonly point contractors to 800-171-style safeguards, even when the master vehicle doesn’t hard-code them. U.S. General Services Administration+1
• The FAR CUI rule (proposed Jan 15, 2025) aims to standardize CUI safeguarding and incident reporting across all civilian agencies, which should reduce today’s clause-by-clause variability. governmentcontractslaw.com

What 800-171 covers (civilian context)

800-171 gives security requirements to protect CUI when it resides in nonfederal systems and organizations—that is, contractor networks and services. Agencies apply it when CUI is present and no law/regulation/policy prescribes a different safeguarding regime. NIST Computer Security Resource Center

What’s changing (2025+)

• FAR CUI proposed rule: Introduces standardized FAR clauses for CUI safeguarding and incident reporting across civilian agencies, which should normalize when/how 800-171 is flowed to contractors. (Status: proposed Jan 2025, moving through the rulemaking pipeline.) governmentcontractslaw.com
• NIST SP 800-171 Rev. 3 (2024): The current edition agencies reference; watch for order/vehicle updates that explicitly cite Rev. 3 or agency overlays. NIST Computer Security Resource Center

Practical guidance (actionable)

1. Scope CUI early at the opportunity level (especially on GWAC task orders): If CUI is present, plan to implement and evidence 800-171 Rev. 3 controls (SSP, POA&M, inheritance) unless the agency mandates a different specific framework (e.g., DHS policies via HSAR). Acquisition.gov+1
2. Differentiate FCI vs. CUI: FAR 52.204-21 covers basic safeguarding of FCI and is not a substitute for 800-171. Don’t stop at 52.204-21 when the work involves CUI. Legal Information Institute+1
3. For DHS work: Map your 800-171 control set to DHS policy requirements cited by HSAR 3052.204-72 and validate incident reporting specifics (timelines, portals). Acquisition.gov+1
4. For GSA/GWAC work: Align with GSA CIO-IT guides and expect 800-171/172 references when the order includes CUI. Keep an eye on Alliant 3 and future Polaris updates for how they incorporate the FAR CUI regime once finalized. U.S. General Services Administration+2U.S. General Services Administration+2

Bottom line

• Civilian agencies do use 800-171 for contractor-hosted CUI, but how they impose it varies today: DHS uses HSAR + policy (not a direct 800-171 citation), while GSA guidance and GWAC task orders often point squarely at 800-171/172 for nonfederal systems. The FAR CUI rule should harmonize these practices government-wide and clarify expectations inside GWAC ecosystems. Acquisition.gov+2U.S. General Services Administration+2

Awesome—here’s a tighter, DoD-free sweep of civilian adoption patterns you can drop onto a web page (accordion / tiles). Each entry has a plain-English takeaway plus a source trail.

1) Department of Homeland Security (DHS)

Clause: HSAR 3052.204-72 “Safeguarding of CUI” (Jul 2023) — requires “adequate security,” defined as compliance with current DHS policies and procedures, plus strengthened incident reporting. It doesn’t name 800-171 directly but drives comparable outcomes through DHS rules. Takeaway: Map your 800-171 controls to DHS policy language and follow DHS reporting portals/timelines. Federal Register+3Acquisition.gov+3Acquisition.gov+3

2) General Services Administration (GSA)

Guides: GSA CIO-IT security guides and the GSA CUI Program Guide explicitly reference NIST SP 800-171/800-172 for protecting CUI in nonfederal systems. Takeaway: On GSA-managed buys, expect 800-171-aligned requirements when CUI is in scope. U.S. General Services Administration+2U.S. General Services Administration+2

3) GWACs (e.g., Alliant 3, Polaris)

Pattern: The master GWAC usually sets broad cyber baselines (e.g., FAR 52.204-21 for FCI). CUI-specific requirements are typically added at the task-order level (or via the ordering agency’s clause—e.g., DHS HSAR). Takeaway: Treat the order as control authority; assume 800-171 when CUI is present. U.S. General Services Administration

4) Department of Health & Human Services (HHS)

Action: HHSAR Class Deviation 2024-01 updated IT security clauses and directs use of HHS security/privacy clauses for IT resources; HHS guidance distinguishes agency-operated systems vs. contractor-hosted environments. Takeaway: If CUI sits in your environment, align your 800-171 implementation to the applicable HHS clause set. HHS.gov+1

5) National Aeronautics and Space Administration (NASA)

Clauses/Deviations: NFS 1852.204-76 (Security requirements for unclassified IT) + Procurement Class Deviations implementing NASA’s CUI program and revising the clause. Takeaway: NASA flows CUI safeguards via NFS + deviations; expect requirements that effectively map to 800-171 for contractor-hosted CUI. Acquisition.gov+2NASA HQ+2

6) Department of Veterans Affairs (VA)

Clause: VAAR 852.204-71 “Information and Information Systems Security” (with VA Handbook 6500 series). Pattern: VA clauses lean on VA’s internal cyber program; where CUI/VA-sensitive info is contractor-hosted, the implementation typically aligns with 800-171-style safeguards. Takeaway: Map 800-171 to VA Directive/Handbook 6500 controls and contract terms. Acquisition.gov+2Veterans Affairs+2

7) Department of State (DOS)

Clause: DOSAR 652.239-71 “Security Requirements for Unclassified IT Resources.” Focuses on contractor responsibility for IT security based on DOS risk assessments for systems connected to or operated for DOS. Takeaway: DOS prescribes agency (not 800-171-named) controls; align 800-171 safeguards to DOSAR-driven security plans. Acquisition.gov+2Legal Information Institute+2

8) Environmental Protection Agency (EPA)

EPAAR: Information-security related clauses (e.g., 1552.211-79) govern IRM policy compliance for IT deliverables/operations; EPAAR subpart 1552 collects agency clauses. Takeaway: EPA uses agency-specific policy clauses; when CUI is contractor-hosted, apply 800-171 as the recommended federal baseline unless the clause prescribes something else. Acquisition.gov+1

9) Social Security Administration (SSA)

Template/Terms: SSA’s Information Security & General Privacy Requirements explicitly call out safeguarding CUI consistent with 32 CFR 2002. Takeaway: SSA ties CUI handling to the government-wide CUI rule; contractors should implement 800-171 when CUI resides in nonfederal systems. Social Security

10) Department of Transportation (DOT)

TAR/TAR Clauses: 1252.239-70/-71/-72 require security plans, accreditation, and safeguarding of DOT sensitive data (with separate incident reporting). Takeaway: Agency-specific controls dominate; for contractor-hosted CUI, apply 800-171 in addition to DOT clause specifics. Department of Transportation+3Acquisition.gov+3Acquisition.gov+3

11) Department of Commerce (DOC) (incl. USPTO/NOAA)

CAR: 1352.239-72 “Security requirements for information technology resources.” Agency-specific security requirements apply to contractor access to DOC information systems and data. Takeaway: Use 800-171 to protect contractor-hosted CUI unless DOC specifies different safeguards. GovInfo+3Acquisition.gov+3Legal Information Institute+3

12) General “What to Expect” (Cross-Agency)

• FAR 52.204-21 (basic safeguarding) applies to FCI, not CUI. For CUI in nonfederal systems, the recommended baseline is NIST SP 800-171 (Rev. 3) (and sometimes 800-172 enhancements). Takeaway: Don’t stop at 52.204-21 when CUI is in scope. Acquisition.gov+1

13) What’s Changing: FAR CUI Rule (Civilian-wide)

Proposed Jan 15, 2025: FAR Council’s CUI rule standardizes identification, safeguarding, and incident reporting for all executive agencies, operationalizing NARA’s 32 CFR Part 2002. Takeaway: Expect more uniform 800-171 flow-downs (for nonfederal systems) once final. Government Contracts Law+3Federal Register+3Greenberg Traurig+3

14) Why 800-171 keeps showing up (even when not named)

NIST 800-171 (Rev. 3) is the government’s recommended requirements set to protect CUI in nonfederal systems; agencies use it unless law/regulation/policy mandates something else. Takeaway: If your contract involves CUI and the system is yours, plan on implementing 800-171 Rev. 3 controls with an SSP/POA&M—then tailor to the agency’s clause set. NIST Computer Security Resource Center+1