On 10 January 2024, The National Institute of Standards and Technology (NIST) shared critical updates to Special Publication 800-171, Revision 3.
These guidelines safeguard the Controlled Unclassified Information (CUI) processed, stored, or transmitted by nonfederal systems and organizations. This 10-year-old initiative has affected thousands of defense contractors, subcontractors, and critical infrastructure.
Here are some key takeaways from the release of SP 800-171 r3.
1. Alignment with the Language and Format of NIST SP 800-53 r5
NIST SP 800-171 Revision 3 now aligns more closely with NIST SP 800-53 Revision 5, ensuring security requirements are communicated consistently across federal and nonfederal organizations.
By aligning with NIST 53 r5, NIST 171 r3 brings the security requirements from higher to lower level by making the potential implementation statements narrower. This is especially true with the inclusion of Organization-Defined Parameters (ODPs).
2. Reduction of Organization-Defined Parameters (ODP)
The introduction of ODPs in select security requirements offers increased flexibility for organizations to better manage risks as suited to their specific contexts. ODPs also help bring high-level requirements to a more narrow, mature, and specific set of requirements.
While NIST reduced the number of ODPs between the initial public draft (IPD) and this final public draft (FPD) by over 50%, the ODPs that survived the cut will more than likely remain for the final publication.
ORCs and Not Applicable (NAs) are also new and leveraged to explain the tailoring criteria.
3. Introduction of Prototype CUI Overlay
NIST provides a nifty tool to help identify the traceability between the NIST 53 r5 and 171 r3. This also includes the logic behind the tailoring and introduces new tailoring criteria.
The overlay helps navigate the requirements, including the detailed analysis to support the tailoring and mapping from the original control. It will look more like NIST 53 r5, and by the time we get to NIST 171r4, NIST anticipates the overlay will be more noticeable than these initial versions.
One of the tailoring decisions that might cause confusion is the addition of the Other-Related-Controls (ORCs). This is a criteria that states that “the control relating to the protection of confidentiality of CUI is adequately covered by other related controls.” In other words, if you’ve implemented all other security requirements, you don’t need to worry about this item because you’ve done it, too; the control is just here as a placeholder.
The rule of thumb is, if a requirement is not in a contract or part of Section 3 (The Requirements section), then it is not an assessable requirement. Remember the NFOs in 171 rev2?
4. Enhanced Specificity and Clarity
Revision 3 also includes more specific and clear security requirements, reducing assessment ambiguity. This clarity will help contractors better understand the system requirements, how to effectively implement them, and how the assessment bodies will assess the cybersecurity practices.
5. Extension of Public Involvement
NIST has conducted extensive data collection, analysis, and public interaction to develop these guidelines. The public comment period has been extended, allowing stakeholders to review and provide feedback on the draft.
Implications for Federal Agencies and Contractors
The revised guidelines are intended to assist federal agencies and government contractors in consistently implementing these security requirements to protect the confidentiality of CUI. Systems storing CUI often support government programs with critical assets, making their protection paramount. The changes aim to simplify the NIST cybersecurity publications ecosystem while ensuring improved national and economic security safeguards.
Future Directions
NIST plans further revisions and updates following the finalization of SP 800-171 r3. This includes updates to related publications such as SP 800-171A (security requirement assessment) and SP 800-172 (enhanced security requirements).