Last Thursday, the National Institute of Standards and Technology (NIST) released a significant update to its Special Publication 800-171, Revision 3. This draft update is crucial for protecting controlled unclassified information (CUI) on non-federal information systems, particularly as the Department of Defense finalizes its Cybersecurity Maturity Model Certification (CMMC) 2.0 program.
Here are some of the key differences between the new and previous versious, and what they mean for the future regarding compliance in the DIB.
Key Changes in NIST SP 800-171 Revision 3
-
Streamlined Introduction for Enhanced Clarity: The revised publication simplifies introductory information, making it more accessible and understandable for users.
-
Unified Security Requirements: The distinction between basic and derived security requirements has been eliminated, leading to a more cohesive and clear set of guidelines.
-
Increased Specificity in Security Requirements: The new revision details security requirements more specifically, reducing ambiguity and improving both the effectiveness of implementation and clarity in assessments.
-
Introduction of Organization-Defined Parameters (ODPs): ODPs are now included in selected security requirements to provide flexibility and better risk management, consistent with their use in NIST SP 800-53, Revision 5.
-
Removal of Redundant Requirements: Outdated and unnecessary security requirements have been eliminated, and some combined for consistency and ease of use.
-
Addition of New Security Requirement Families: New families such as Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR) have been added to align with the NIST SP 800-53B moderate control baseline.
-
Alignment with NIST SP 800-53: The security requirement structure and language have been aligned with NIST SP 800-53, reflecting a strategy to streamline the frameworks used across sectors.
-
Enhancements for Usability: The revision includes several usability improvements like titles for each security requirement, internal and external hyperlinks for navigation, updated discussion sections, and direct links to source controls in NIST SP 800-53.
-
Transition Mapping Tables: These tables have been introduced to help organizations understand the changes from Revision 2 to Revision 3.
-
Availability in Different Data Formats: Following publication, the security requirements will be updated in CPRT and made available in formats like CSV and JSON.
See a more detailed FAQ list regarding revision 3 changes from NIST here.
Implications for CMMC 2.0 Compliance and Contractors
The updates in Draft NIST 800-171 Rev. 3 will significantly inform the requirements for CMMC 2.0, especially concerning the protection of CUI across the defense industrial base. It's essential for contractors to be aware of these changes to align their practices with the upcoming DoD requirements.
Solutions like Virtru's data-centric security suite can be instrumental in this transition. By providing persistent encryption and granular access controls over shared files and emails, Virtru helps in complying with the revised standards and protecting sensitive CUI throughout its lifecycle.
Looking Ahead
NIST has opened a final public comment period until January 12, 2024, on these draft changes, with the final publication expected in early 2024. This timeline closely aligns with predictions for the rollout of CMMC 2.0.
NIST 800-171 r3 Will Likely Align with CMMC 2.0: Are You Ready?
As the cybersecurity landscape evolves, staying abreast of these changes is critical for contractors and organizations working within the Defense Industrial Base. Understanding and implementing the revisions in NIST SP 800-171, Revision 3 will be key to maintaining compliance and ensuring the secure handling of CUI.
Learn how Virtru can help your business prepare for these upcoming changes and maintain compliance while collaborating within the DIB efficiently and securely.
