June 2, 2023

    NIST 800-171 Revision 3: What You Need to Know

    On May 10, 2023, the National Institute of Standards and Technology (NIST) published a draft of the third revision of the NIST 800-171 standard (NIST 800-171 R3). This new draft revision is a significant update to the previous version, with several changes that will impact organizations that handle Controlled Unclassified Information (CUI). In this blog post, we will explore the differences between NIST 800-171 Revision 2 and Revision 3, and what you need to know to stay in compliance.

    Background

    NIST 800-171 was first published in 2016 to provide guidance for protecting CUI in non-federal systems and organizations. The standard outlines 110 CUI security requirements that must be met to ensure the confidentiality, integrity, and availability. These requirements are organized into 14 families, each addressing a specific area of security.

    In 2020, NIST released Revision 2 of the standard, which included several updates and clarifications to the original requirements. However, with the ever-evolving threat landscape, NIST recognized the need for further updates to ensure organizations are adequately protected.

    Now, in 2023 they've moved on to a third revision of the standard with 113 total controls instead of 110 total controls. Most defense and aerospace contractors are asking the question, "how will these new controls affect my CMMC preparations?" Spoiler alert: it doesn't. 

    Key Changes in Revision 3

    When we reviewed the changes proposed in Revision 3, our customers will be happy to know, we already provide all of the controls necessary for the protection of CUI.

    NIST has broken down the changes into the following categories:

    1. No significant change: "Editorial changes to requirement; no change in outcome."
    2. Significant Change: "Additional detail in requirement, including more comprehensive detail on and foundational tasks for achieving the outcome of the requirement."
    3. Minor Change: "Editorial changes. Limited changes in level of detail and outcome of requirement."
    4. Withdrawn Requirement: "Requirement withdrawn"
    5. New Organization-defined Parameter (ODP): "New ODP's can apply to all change types with the exception of withdrawn requirements. Each Requirements includes one or more new ODPs."

    Here's how these categories are broken down in Revision 3. NIST might have a control in more than one category. For instance, a new ODP might also be listed as a new requirement, a significant change, or a minor change (hence, how they reached a total of 138).

    Type of Change Change Description Number of Controls
    No significant change Editorial changes to requirement; no change in outcome. 18
    Significant Change Additional detail in requirement, including more comprehensive detail on and foundational tasks for achieving the outcome of the requirement. 49
    Minor Change Editorial changes. Limited changes in level of detail and outcome of requirement. 18
    New Requirement Newly added requirement in IPD SP 800-171 Rev 3. 26
    Withdrawn Requirement Requirement withdrawn. 27
    New Organization-defined Parameter (ODP) New ODPs can apply to all change types with the exception of withdrawn requirements. Each requirement includes one or more new ODPs. 53
      Total Number of Security Requirements in Draft SP 800-171 Rev 3 138 

    Source: https://csrc.nist.gov/publications/detail/sp/800-171/rev-3/draft

    To quote NISTs "transition mapping table" the changes in the draft are as follows:

    1. Updates to the security requirements and families to reflect updates in NIST SP 800-53, Revision 5 (still in Draft) and the NIST SP 800-53B moderate control baseline
    2. Updated tailoring criteria
    3. Increased specificity for security requirements to remove ambiguity, improve the effectiveness of implementation, and clarify the scope of assessments
    4. Introduction of organization-defined parameters (ODP) in selected security requirements to increase flexibility and help organizations better manage risk
    5. A prototype CUI overlay

    The above changes will affect your organization in several high-level ways:

    1. New Security Requirements: The new revision includes three new security requirements, bringing the total to 113. These new requirements address topics such as supply chain risk management and incident response. With this, they’ve also introduced a new tailoring category, Not Applicable (NA)
    2. Updated Security Requirements: Many of the existing security requirements have been updated to reflect current best practices and technologies. Other requirements have been removed if they were “outdated or redundant.” For example, the encryption requirements have been updated to include stronger encryption algorithms.
    3. Clarifications and Simplifications: NIST has clarified several requirements to provide better guidance to organizations. Additionally, some requirements have been simplified to make them easier to understand and implement.
    4. Reorganization of Requirements: The security requirements have been reorganized to align with the NIST Cybersecurity Framework with 17 clear control groups. This alignment makes it easier for organizations to use both frameworks together to improve their overall security posture.
    5. New Assessment Procedures: NIST has also updated the assessment procedures for the NIST compliance standard. These changes include new testing procedures and guidance on how to conduct assessments remotely.

    Implications for Organizations

    Organizations that handle CUI must comply with the NIST 800-171 standard. Failure to comply can result in the loss of contracts and damage to the organization's reputation. With the release of revision 3, organizations must ensure they are up to date with the latest security requirements.

    One of the most significant changes in revision 3 is the addition of new security requirements. Organizations must review these new requirements and ensure they have implemented the necessary controls to meet them. Additionally, organizations must review the updated requirements to ensure they are meeting the latest best practices.

    The reorganization of the security requirements may also impact organizations. The alignment with the NIST Cybersecurity Framework provides a more comprehensive approach to security. However, organizations may need to adjust their current security programs to align with the new structure.

    Finally, the updated assessment procedures may impact how organizations are assessed for compliance. Organizations must review the new procedures and ensure they are prepared for any changes.

    Conclusion

    NIST 800-171 revision 3 is a significant update to the standard that organizations must take seriously. With new security requirements, updated requirements, and new assessment procedures, organizations must ensure they are up to date with the latest guidance. Failure to comply can result in significant consequences, including the loss of contracts and damage to the organization's reputation. By staying informed and implementing the necessary controls, organizations can ensure they are adequately protecting CUI and meeting their compliance obligations.

    Need NIST 800-171 Compliance?

    Do you need to become or ensure your organization is NIST 800-171 compliant with today's requirements and what they might be when revision 3 is finalized? Get a FREE trial of the Sharetru platform today to see how easy we can make it for you! 

     

    Arvind Mistry

    Arvind, Sharetru's Director of Compliance, brings 11+ years' experience in cloud solutions for Federal Govt. & public sector from esteemed companies.

    Other posts you might be interested in

    View All Posts