Do a security assessment now and submit your score to the SPRS or risk being left behind.
Bluestreak Consulting Reading Time: 5 minutes
Are You Prepared for the NIST 800-171 Changes Coming in 2024?
The final version of NIST 800-171 Rev 3 is expected to be released in early 2024. The proposed changes from Rev 2 to Rev 3 are substantial. Here are some of the key changes:
• The elimination of Basic (FIPS 200) Security Requirements Compliance
• Updated Security Requirement Specifications
• Addition of New Security Requirements (e.g. three new Control ‘families’)
• Withdrawal of Security Requirements
• Development of a Prototype CUI Overlap between NIST 800-53 Rev 5 and 800-171 Rev 3
• Introduction of Organization-Defined Parameters (ODPs) specific to your organization
What has not changed is that companies that handle CUI must comply with the NIST 800-171 cybersecurity standards. Failure to comply can result in significant consequences, including loss of contracts and damage to the company’s reputation. With the release of Rev 3, companies must ensure they are up to date with the latest security requirements.
NIST Issues Proposed Draft SP 800-171 From Revision 2 to Revision 3
On May 10, 2023, the National Institute of Standards and Technology (NIST) released an initial public draft (IPD) of Revision 3 to NIST Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, which establishes security controls that apply to non-federal information systems that store, process, or transmit controlled unclassified information (CUI). The final version of NIST SP 800-171 Rev 3 is expected to be released in early 2024. Don’t panic about the proposed changes in Rev 3. If you handle CUI and are working towards your compliance, continue to implement Rev 2. Don’t wait until Rev 3 is fully released to start. Remember, DFARS mandates that if you are a DoD prime contractor or subcontractor with CUI, you need to comply with NIST 800-171 Rev 2 requirements and be certified to CMMC Level 2 or 3 certified. The CMMC certification deadline is 2025 and it’s fast approaching.
Some Of The Key Changes NIST SP (Special Publication) 800-171 outlines security requirements that government contractors should (and in some instances, may be required to) implement in covered information systems. The U.S. government has increasingly required that contractors put in place similar security measures for non-federal information systems that store, process, or transmit CUI. The updates set out in Revision 3 seek to harmonize SP 800-171 with SP 800-53, and in turn, make it easier for contractors to comply with the requisite cybersecurity measures. Several key changes are noted below.
Elimination of Basic Security Requirements Compliance: Revision 3 removes the distinction between the basic security requirements of FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, and the ‘derived’ requirements from SP 800-53. Previously, contractors were required to comply with both basic and derived controls, but through Revision 3, contractors will only be required to show compliance with derived controls.
Updated Security Requirement Specifications: Prior to this revision, certain security requirements in SP 800-171 were defined at a high level, leaving them open to interpretation by contractors. In turn, those entities assessing contractor compliance could have differing expectations or interpretations of whether the organization had in fact satisfied the relevant requirement. While this may offer clarity regarding the U.S. government’s expectations of non-federal information systems, the added detail could have unintended consequences. The current SP 800-171 standards were intended to provide contractors with some level of flexibility, based on risk assessments performed. Even with that ‘intended’ flexibility, many contractors (particularly small businesses), have faced compliance challenges, and making the requirements more prescriptive may only increase those difficulties.
Addition of New Security Requirements: With Revision 3, NIST added new security requirements to several control families, including Access Control, Identification and Authentication, Physical Protection, Risk Assessment, Systems and Communication Protection, Systems and Information Integrity, and to the newly added security requirement families — Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR). While these additions did not significantly increase the number of security requirements imposed by SP 800-171, including the fact that several existing requirements were withdrawn as outdated or redundant, contractors should still be on the lookout for multi-part (or combined) requirements imposing new obligations.
Development of a Prototype CUI Overlap: Prior to the issuance of Revision 3, many organizations expressed concerns over the different security and risk management frameworks applied to the public and private sectors. In response, NIST added a “Prototype CUI Overlay” to SP 800-171. NIST developed this prototype matrix to show how the moderate control baseline in SP 800-53 is tailored at the control level and analyzes those to the security requirements necessary to protect CUI.
Introduction of Organization-Defined Parameters (ODPs): In select security requirements, NIST added ODPs, which afford federal agencies the flexibility to “specify values for the designed parameters”. ODPs can be based on “laws, Executive Orders, directives, regulations, policies, standards, guidance, or mission and business needs”. Once specified, those ODPs will become part of the requirement. This could create various challenges for contractors, particularly those that do business with a variety of federal agencies and may therefore be forced to comply with different, and potentially conflicting, customer requirements.
The Department of Defense (DoD), through the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, requires contractors with information systems that store, process, or transmit CDI - covered defense information (essentially, CUI obtained in the performance of a DoD contract) to comply with SP 800-171. DFARS 252.204-7012 generally requires contractors to comply with the SP 800-171 security controls in effect when the solicitation was issued but notes the contracting officer’s ability to authorize otherwise. Other agencies are also expected to roll out cybersecurity requirements that utilize SP 800-171 standards. Meaning, contractors should be prepared to comply with Revision 3, not only for future contracts but also because agencies may choose to implement the security controls and requirements through a contract modification. Revision 3 could also affect the Cybersecurity Maturity Model Certification (CMMC) program. Recent DoD guidance indicates that CMMC will establish three “Maturity Levels” (down from the five Maturity Levels under the so-called “CMMC 1.0”). Contractors that store, transmit, or process CUI on non-federal information systems must meet Maturity Level 2 (formerly Maturity Level 3), which is based on SP 800-171 standards. It’s not clear whether or how CMMC will incorporate any SP 800-171 revisions and, if it does, how that may affect contracts that are certified under existing SP 800-171 standards. As stated earlier, it is crucial to begin (or continue) working towards compliance with Rev 2, so that when Rev 3 comes out, you will be that much closer to compliance, and your customers will see that your compliance program is actively progressing forward. If you wait until the release of Rev 3, you will be way behind all of your competitors, and one (1) to two (2) years away from full compliance, which would not be acceptable to your DoD or government Prime customers.
About the Author
Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, a division of Bluestreak | Bright AM™, and a regular editorial contributor for several trade publications providing technology, tips, and news for manufacturers. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, a machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe directly at email@example.com.
About Bluestreak™ Bluestreak™ is a powerful Manufacturing Execution System (MES) and a fully integrated Quality Management System (QMS), designed for the manufacturing environment and service-based manufacturing companies ( metal-treating/powder-coating, plating, heat-treating, forging, and metal-finishing), businesses that receive customers’ parts, perform a process (service) on them, and send those parts back to the customer). Companies need MES software tailored to specific functionality and workflow needs such as industry-specific specifications management, intuitive scheduling control for both staff and machinery maintenance, and the ability to manage work orders and track real-time data. If different work centers on the production floor aren’t “speaking” to each other via the MES, the data loses value and becomes disjointed or lost in disparate silos.
Bluestreak | Bright AM™ is an MES + QMS software solution specifically designed to manage and optimize the unique requirements of Additive Manufacturing’s production of parts and powder inventory usage.