On November 9, 2023, NIST released the NIST SP 800-171 Rev. 3 Final Public Draft (FPD), the final draft revision of SP 800-171. According to Ron Ross, a fellow at NIST, the new requirements in this revision were added to “specifically address threats to CUI, which recently has been a target of state-level espionage.” Entities that process, store, or transmit Controlled Unclassified Information (CUI) do so “for or on behalf of the government.” 32 CFR 2002.4(h) requires that such information be safeguarded and disseminated in accordance with the laws, regulations, or established government-wide policies.
There are different measures an organization can take to secure CUI at rest and in transmission, and one of them is to fully implement the requirements of the NIST SP 800-171. This Special Publication codifies non-federal information systems’ requirements to securely store, process, or transmit CUI.
However, state-level espionage was not the only reason for revising the publication. Cyber threats are constantly evolving, and there’s a need to update the protection mechanisms accordingly. Since CMMC 2.0 certification depends on how best a contractor implements NIST SP 800-171, there are several things to understand about SP 800-171r3, including:
When will NIST SP 800-171 Rev. 3 come into effect?
As its name suggests, SP 800-171 Rev. 3 (FPD) is a draft. From a timeline perspective, the final publication is expected by Q1 of 2024. But DFARS 252.204-7012(b)(2)(i) requires that contractor be compliant with the then-current version of SP 800-171 or as authorized by the Contracting Officer. This poses a significant problem. It means that in theory, contractors might be required to adhere to NIST SP 800-171r3 as soon as NIST publishes the final version.
To avoid such a scenario, the DoD will likely issue a temporary waiver or guidance memo outlining the agency’s approach to adopting the requirements of NIST SP 800-171r3 throughout the defense supply chain. Devoid of this, most contractors will be out of compliance.
NIST SP 800-171 Rev. 3 (FPD) introduces 3 new families
One of the most visible changes in SP 800-171 Rev. 3 (FPD) is the introduction of three new families. This means the revised edition will have 17 families if published as is. These families align with the control families outlined in the NIST SP 800-53 moderate control baseline. By adding these families, NIST aims to enhance the resilience and security of non-federal organizations’ information systems that handle CUI. The new families added to the NIST SP 800-171 Rev. 3 (FPD) include:
Planning (PL)
Building a governance structure is necessary, and now it’s spelled out as a SP 800-171r3 requirement. Organizations should come up with solid policies and procedures for protecting CUI. These procedures and policies should provide security assurance. The policies may be part of a general organizational security policy or separate policies addressing each family of requirements. The procedures should describe how an organization will implement the policies. They should be directed to a role or individual that’s the object of a procedure and documented in an SSP or other separate documents. Together, policies and procedures make up the cybersecurity plan.
System and Services Acquisition (SA)
This family of requirements in the NIST SP 800-171 Rev. 3 (FPD) addresses critical aspects of securing systems during and after acquisition. Organizations must include the security requirements that cover assurance and functional aspects in the contracts during the acquisition process. They must replace unsupported components or institute risk mitigation mechanisms, as adversaries usually exploit weaknesses or deficiencies in such systems. Therefore, organizations are supposed to ensure software systems are up-to-date and where vulnerabilities exist, they are patched on time.
External service providers are a key component of service delivery. Hence, the systems that process, store, or transmit CUI must be secure. Contractors reliant on external service providers define security requirements for the providers, document user roles and responsibilities, and implement a robust and ongoing monitoring process. The contractor is responsible for managing risks associated with any services rendered by external service providers. Here, service level agreements (SLAs) are critical in describing outcomes, setting expectations, and outlining non-compliance remedies.
Supply Chain Risk Management (SR)
This family covers managing risks associated with services or products from external providers throughout a system’s lifecycle. There are many supply chain risks, including theft, tampering, poor manufacturing practices, malicious code injection, and counterfeits, among many others. Managing such risks requires plans and coordinated efforts to communicate and build trust with stakeholders.
Besides developing plans to manage supply chain risks, contractors should periodically review, update, and protect them from unauthorized disclosure. Hence, contractors should use contract tools, procurement methods, and acquisition strategies that identify, protect against, and mitigate supply chain risks. Such organizations should also develop mechanisms for finding weaknesses in various elements and processes in their supply chain.
NIST SP 800-171 Rev. 3 (FPD) has more security requirements.
The NIST SP 800-171 Rev. 3 (fpd) has 96 requirements. Compared to NIST SP 800-171r2’s 110 practices, that is a 14% reduction. According to NIST and various experts, this is a “significant” reduction – but is it? NIST SP 800-171r2 has 110 security requirements. Each of the 110 practices has or appears to have only one control item. On the other hand, the requirements in SP 800-171r3 (FPD) often appears to have multiple control items. Therefore, the number of control items has considerably increased in SP 800-171r3 (FPD).
Introduction of ODPs
The NIST team introduced Organization-Defined Parameter’s (ODPs) in SP 800-171r3’s initial public draft to align it with NIST SP 800-53. Some NIST SP 800-171r3 (FPD)’s requirements (e.g., 3.16.3. External System Services) include ODPs that provide flexibility through selection and assignment operations. This allows federal and non-federal organizations to specify the designated parameter’s value(s) in the requirements. Organizations can customize their security requirements through assignment and selection operations, tailoring them to their specific protection needs. However, NIST does not set or assign values for ODPs; that’s done by a federal agency or a group of federal agencies. Where an ODP value is not established or assigned, NIST SP 800-171 Rev. 3 (FPD) requires that the contractor assigns the value to complete the requirement.
Currently, most of the ODPs are up to the contractor. However, some external requirements from solicitations or regulations sometimes override a contractor’s internal parameters. A good example is when a solicitation contains DFARS 7012. According to DFARS 252.304-7012(e), contractors must preserve cyber incident-related data for at least 90 days after submitting the incident report to the DoD. Since such a requirement overrides whatever internal parameters a contractor may have in place, they cannot set a cyber incident-related data retention period shorter than 90 days.
Does the revision impact CMMC 2.0 rulemaking?
NIST SP 800-171r3 is expected to be published early in 2024. However, the DoD submitted CMMC 2.0 officially to OIRA for review on July 24, 2023. Under Executive Order 12866, the OIRA has 90 days to review the rule and take subsequent actions, including publishing in the federal register. If CMMC is published on the federal register, a 60-day public comment period follows. Understanding that OIRA may extend the 90-day review period, the CMMC 2.0 final rule should be expected to appear in contracts and solicitations by 2025. So, the revisions in NIST SP 800-171 won’t affect the CMMC rulemaking because the process is already underway.
CMMC is a framework, while NIST SP 800-171 is a standard, and DFARS 252.204-7012 is a regulation, they all relate to protecting CUI. Thus, while CMMC builds on NIST SP 800-171 and DFARS 252.204-7012, and requirements are closely related, they differ. CMMC assessments follow the NIST SP 800-171 and DFARS 7012 requirements to verify compliance.
Thus, if the DoD issues a guidance memo or temporary waivers for the SP 800-171r3 (FPD), then CMMC assessments won’t include the requirements until the end of the waiver period. If the DoD doesn’t issue a waiver, then the CMMC assessments may include NIST SP 800-171r3. That is assuming that Cyber AB develops training and assessment materials in time.
Therefore, contractors should be prepared and undergo CMMC 2.0 assessments immediately or quickly after the rulemaking process is finalized. Any delays will increase the chances of SP 800-171r3 becoming the assessable standard in the CMMC assessments. If NIST SP 800-171r3 is to be published as is, the increase in requirements will result in higher implementation costs.
Embracing the Future of Compliance with NIST SP 800-171 Rev. 3
NIST SP 800-171 Rev. 3 (FPD) introduces some critical changes that members of the DoD supply chain must understand to secure CUI and remain compliant. Although the finalization is slated for spring 2024, contractors should thoroughly understand the new provisions NOW. As an old saying goes, “the early bird catches the worm.” Understanding the requirements places the contractors in a favorable position to achieve CMMC compliance when NIST SP 800-171r3 becomes applicable.