Disclaimer: NIST 800-171 Revision 3 is in DRAFT form, and public comments will be gathered before the publication is made final.
1. Resource Allocation = Time & Money
Even though the total count of security requirements in the recently released draft of NIST 800-171 Rev. 3 remained steady with Rev. 2, the requirements were expanded upon by combining multiple elements or components within the draft 110 requirements.
Twenty-two of the requirements in NIST 800-171 Rev. 3 are marked as “withdrawn.” However, this is because they were assimilated into other requirements within Rev. 3. On top of the incorporated “withdrawn” requirements, Rev. 3 includes 26 new security requirements.
The assumption among the community is that the integration of Rev. 3 into CMMC will require 2-3 years. As a result, most organizations are likely to postpone strategizing on enhancing their systems’ security, but is that the right approach?
Mature organizations continuously monitor and test their controls and assess their compliance programs. These activities facilitate the planning, prioritizing, and budgeting for enhancements to their security posture 1-3 years in advance. The transition from Rev. 2 to Rev. 3 will require investment in time, financial resources, and technical capabilities — as well as, incremental changes, including procedural and technical, which should be identified on a risk-based roadmap for clear communication with the leadership team.
2. Independent Assessment Introduces a New Control
If you are employed by an organization heavily relying on the concept of bifurcation, a new independent assessment requirement might significantly impact your perspective. This is reaffirming the lack of bifurcation considering the Department of Defense (DoD) has previously stated that bifurcation will rarely occur.
The average variation between a self-assessment score (Basic Assessment) and a Medium Assessment (DIBCAC Review) is 113 points, and according to DIBCAC, this difference is noteworthy.
Note: Please follow the links for detailed data.
NIST 171 Rev. 3 introduces a control 3.12.5, Independent Assessment. It is critical for an organization to identify and select defensible independent assessments in its strategic roadmap as an integral part of its continuous compliance strategy. Additionally, it’s important to properly allocate resources and schedule adequate time for the phases of preparation, implementation, and remediation of additional security enhancements.
3. Early Adoption Gives Organizations a Competitive Advantage
Given the changes to incorporate the Rev. 3 requirements into CMMC, we predict that the implementation of Rev.3 will likely occur in a gradual, phased manner similar to the existing FedRAMP transition. C3PAOs will likely be at the forefront of getting certified with Rev. 3, followed by proactive organizations looking for a competitive advantage.
As with the early adopters of CMMC/NIST 800-171 who gained market appeal among prime contractors, the same will likely apply to Rev. 3. Organizations that seize the opportunity to adapt and enhance their security posture will reap benefits, increasing their ability to identify and respond to business threats, and standing out from those who remain stagnant with technical and procedural debt.
The updated security requirements may lead to the exclusion of numerous suppliers from the Defense Industrial Base (DIB) and the Defense Supply Chain (DSC). However, organizations can increase their chances of success by documenting the risks to business objectives, planning on mitigating them through security improvements, and obtaining executive buy-in.
Roadmaps
To take action in preparing for NIST 800-171 Revision 3, integrate the changes that will affect your organization into your enterprise security roadmap. Enterprise security roadmaps typically include various components and initiatives aimed at enhancing an organization’s security posture and increasing visibility in alignment with business goals and objectives. Here are some common elements found in cybersecurity roadmaps that you can incorporate into your own:
1. Define the Desired State
Example: Increase revenue stream from Federal programs, including DoD work, by XX% within 36 months or by Q2, Fiscal Year 2025.
These goals should also define the level of security your organization aims to achieve, including industry regulations, risk levels, protecting sensitive data, and ensuring the availability of critical systems.
2. Define Your Current State (Gaps, Weaknesses, and Opportunities)
Start by conducting a thorough assessment of your current enterprise security posture. Once you have defined your present and desired states, you can identify the gaps and potential opportunities for security enhancements or existing alignment.
3. Prioritize Actions
Develop a plan for addressing these gaps and maximizing the identified opportunities based on their impact and risk to the business objective.
4. Develop a Roadmap
Outline the steps to reach your desired state of enterprise security including timelines, resources required, and responsibilities.
5. Regular Review and Update
Cyber risk and compliance is an ongoing process, not a one-time effort. Regularly review and update your roadmap based on new objectives, threats, business changes, and technological advancements.