Start Your Journey Towards NIST 800-171
and CMMC Certification
Don’t be a Victim of Cyber Attacks
Bluestreak Consulting™ can help reduce your Cybersecurity Risk.
NIST Issues Proposed Draft SP 800-171 From Revision 2 to Revision 3
On May 10, 2023, the National Institute of Standards and Technology (NIST) released an initial public draft (IPD) of Revision 3 to NIST Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, which establishes security controls that apply to non-federal information systems that store, process, or transmit controlled unclassified information (CUI). The final version of NIST SP 800-171 Rev 3 is expected to be released in early 2024.
Don’t panic about the proposed changes in Rev 3. If you handle CUI and are working towards your compliance, continue to implement Rev 2. Don’t wait until Rev 3 is fully released to start. Remember, DFARS mandates that if you are a DoD prime contractor or subcontractor with CUI, you need to comply with NIST 800-171 Rev 2 requirements and be certified to CMMC Level 2 or 3 certified. The CMMC certification deadline is 2025 and it’s fast approaching.
Some Of The Key Changes
NIST SP (Special Publication) 800-171 outlines security requirements that government contractors should (and in some instances, may be required to) implement in covered information systems. The U.S. government has increasingly required that contractors put in place similar security measures for non-federal information systems that store, process, or transmit CUI. The updates set out in Revision 3 seek to harmonize SP 800-171 with SP 800-53, and in turn, make it easier for contractors to comply with the requisite cybersecurity measures. Several key changes are noted below.
Elimination of Basic Security Requirements Compliance: Revision 3 removes the distinction between the basic security requirements of FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, and the ‘derived’ requirements from SP 800-53. Previously, contractors were required to comply with both basic and derived controls, but through Revision 3, contractors will only be required to show compliance with derived controls.
Updated Security Requirement Specifications: Prior to this revision, certain security requirements in SP 800-171 were defined at a high level, leaving them open to interpretation by contractors. In turn, those entities assessing contractor compliance could have differing expectations or interpretations of whether the organization had in fact satisfied the relevant requirement. While this may offer clarity regarding the U.S. government’s expectations of non-federal information systems, the added detail could have unintended consequences. The current SP 800-171 standards were intended to provide contractors with some level of flexibility, based on risk assessments performed. Even with that ‘intended’ flexibility, many contractors (particularly small businesses), have faced compliance challenges, and making the requirements more prescriptive may only increase those difficulties.
Addition of New Security Requirements: With Revision 3, NIST added new security requirements to several control families, including Access Control, Identification and Authentication, Physical Protection, Risk Assessment, Systems and Communication Protection, Systems and Information Integrity, and to the newly added security requirement families — Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR). While these additions did not significantly increase the number of security requirements imposed by SP 800-171, including the fact that several existing requirements were withdrawn as outdated or redundant, contractors should still be on the lookout for multi-part (or combined) requirements imposing new obligations.
Development of a Prototype CUI Overlap: Prior to the issuance of Revision 3, many organizations expressed concerns over the different security and risk management frameworks applied to the public and private sectors. In response, NIST added a “Prototype CUI Overlay” to SP 800-171. NIST developed this prototype matrix to show how the moderate control baseline in SP 800-53 is tailored at the control level and analyzes those to the security requirements necessary to protect CUI.
Introduction of Organization-Defined Parameters (ODPs): In select security requirements, NIST added ODPs, which afford federal agencies the flexibility to “specify values for the designed parameters”. ODPs can be based on “laws, Executive Orders, directives, regulations, policies, standards, guidance, or mission and business needs”. Once specified, those ODPs will become part of the requirement. This could create various challenges for contractors, particularly those that do business with a variety of federal agencies and may therefore be forced to comply with different, and potentially conflicting, customer requirements.
The Department of Defense (DoD), through the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, requires contractors with information systems that store, process, or transmit CDI - covered defense information (essentially, CUI obtained in the performance of a DoD contract) to comply with SP 800-171. DFARS 252.204-7012 generally requires contractors to comply with the SP 800-171 security controls in effect when the solicitation was issued but notes the contracting officer’s ability to authorize otherwise. Other agencies are also expected to roll out cybersecurity requirements that utilize SP 800-171 standards. Meaning, contractors should be prepared to comply with Revision 3, not only for future contracts but also because agencies may choose to implement the security controls and requirements through a contract modification.
Revision 3 could also affect the Cybersecurity Maturity Model Certification (CMMC) program. Recent DoD guidance indicates that CMMC will establish three “Maturity Levels” (down from the five Maturity Levels under the so-called “CMMC 1.0”). Contractors that store, transmit, or process CUI on non-federal information systems must meet Maturity Level 2 (formerly Maturity Level 3), which is based on SP 800-171 standards. It’s not clear whether or how CMMC will incorporate any SP 800-171 revisions and, if it does, how that may affect contracts that are certified under existing SP 800-171 standards.
As stated earlier, it is crucial to begin (or continue) working towards compliance with Rev 2, so that when Rev 3 comes out, you will be that much closer to compliance, and your customers will see that your compliance program is actively progressing forward. If you wait until the release of Rev 3, you will be way behind all of your competitors, and one (1) to two (2) years away from full compliance, which would not be acceptable to your DoD or government Prime customers.
Let us help you secure your data and secure your future.