NIST SP 800-171 Overview
The National Institute of Standards and Technology (NIST) provides security requirements and guidance to US government agencies through its Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST SP 800-171). These requirements apply to any federal contractor system that is not directly used or operated on behalf of the Federal Government and store, process, and/or transmit Controlled Unclassified Information (CUI). When in doubt, a good rule of thumb is if the system handles CUI but does not require an Authority to Operate (ATO), then NIST SP 800-171 will most likely apply.
As of August, 2023, NIST SP 800-171 Revision 2 is the current standard and provides the foundation for the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) framework that is currently under rulemaking process. NIST SP 800-171 Revision 3 is on the horizon, expected to be released within 2024 with promising changes to the current standard.
NIST SP 800-171 Revision 3
NIST released the Initial Public Draft of SP 800-171 Revision 3 on May 10, 2023, with a public comment period that ended on July 14, 2023. According to NIST, the new revision is meant to update the existing security requirements and control families to align with NIST SP 800-53 Revision 5 and the NIST SP 800-53B moderate control baseline. As part of these updates, three new control families were added to NIST SP 800-171 Revision 3: Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR).
Other significant changes include:
Updated tailoring criteria.
Increased specificity for controls to remove ambiguity, improve effective implementation, and clarify scope of assessment.
Introduction of organization-defined parameters (ODP) in selected controls to increase flexibility and help organizations better manage risk.
Prototype CUI overlay.
NIST Initial Analysis of Public Comments on Revision 3
On August 16, 2023, NIST issued a summary and analysis of the public comments provided from its 90-day public comment period. This analysis reviewed almost 1700 comments from 82 organizations and individuals. Some of the more noteworthy areas of comments were Recategorization of Controls, Prototype CUI Overlay, ODP, and Security Requirements. The Security Requirements category comprised over 80% of the comments received.
In response to these comments, NIST intends to make the following updates for the Final Public Draft:
Reduce the number of ODPs;
Re-evaluate the tailoring categories and eliminate the NFO category; and
Restructure and streamline the discussion section for each control.
NIST expects to release the Final Public Draft of NIST SP 800-171 Revision 3 and the Initial Public Draft of NIST SP 800-171A around October-December 2023. The final version of NIST SP 800-171 Revision 3 is expected to be released in early 2024.
Impact to DFARS 7012 and CMMC
Currently, the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012(b)(2)(i) does not define which revision of NIST SP 800-171 applies. This means that contractors are expected to comply with the most current version of NIST SP 800-171, or the prior version if authorized by the Federal Contracting Officer. Contractors should be prepared to comply with NIST SP 800-171 Revision 3 as soon as the final version is published by NIST, BUT an immediate transition is unlikely to be required. It's more likely that the DoD will issue guidance on the transition from NIST SP 800-171 Revision 2 requirements to the Revision 3 requirements when they are finalized, allowing contractors a transition period to reasonably meet the new revision.
While CMMC requirements outlined in existing documentation from the DoD are based on NIST SP 800-171 Revision 2, CMMC is a separate and independent framework from NIST SP 800-171. Because of this separation, the DoD and the Cyber Accreditation Body (CyberAB) can update CMMC requirements independently from NIST’s updates to NIST SP 800-171.
This may cause a dichotomy for federal contractors. A federal contractor with both DoD and Civilian agency clients may be required to comply with either or both NIST SP 800-171 Revision 3 and CMMC (i.e. NIST SP 800-171 Revision 2) until both frameworks reach parity with each other in their respective update timelines. Thankfully, organizations should be able to meet CMMC (i.e. NIST SP 800-171 Revision 2) requirements through the NIST SP Revision 3 requirements outlined in the current initial public draft.
If your organization is compliant with, or in the process of complying with, the requirements in NIST SP 800-171 Revision 2, then keep with your current progress. NIST SP 800-171 Revision 3 is primarily a refinement of the existing controls with few exceptions. RISCPoint recommends any organization planning on or currently doing business with the Federal government to be familiar with the current version of NIST SP 800-171 Revision 2 and the proposed changes in NIST SP 800-171 Revision 3 and implement the stricter version of the relevant controls.
Do not hesitate to reach out to trusted experts to make sure they understand the ramifications and impacts to strategic goals in pursuing or maintaining compliance with the variety of CUI cybersecurity requirements. RISCPoint is here to provide expert guidance and support as organizations work to understand the cybersecurity requirements of NIST SP 800-171 and its relationship to DFARS and CMMC.
RISCPoint is a partner-owned, industry leading cybersecurity and compliance consultancy. We are a tight-knit team of experienced professionals that focus on integrating seamlessly with our clients to harmonize their security and compliance obligations with their business success. RISCPoint’s team of experienced advisors deliver a comprehensive suite of FedRAMP services designed to guide your unique cloud solution through a successful initial and continued authorization. To learn more, visit riscpoint.com/contact or call 1-888-320-1327.