Introduction

In the ever-evolving landscape of cybersecurity, staying up-to-date with the latest frameworks and regulations is crucial to protect sensitive information. One such framework is the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which outlines requirements for protecting controlled unclassified information (CUI). NIST recently released a draft of Revision 3 (Rev. 3) of SP 800-171, introducing significant changes that organizations need to be aware of. In this article, we will delve into the key modifications and additions proposed in Rev. 3 and discuss their potential impact on the defense supply chain and the Cybersecurity Maturity Model Certification (CMMC) program.

The Origins and Purpose of SP 800-171

To understand the significance of Rev. 3, let’s take a brief look at the origins and purpose of SP 800-171. Initially created in December 2016, SP 800-171 was developed as a derivative of controls and requirements found in Federal Information Processing Standard (FIPS) 200 and NIST SP 800-53. Its purpose was to provide federal agencies with recommended security requirements for protecting CUI when it resides in nonfederal systems and organizations.

Enhanced Clarity and Specificity

One of the notable changes introduced in Rev. 3 is the enhanced clarity and specificity of the security requirements. The distinction between “Basic” and “Derived” security requirements, present in previous versions, has been eliminated. Instead, NIST has opted to rely on the requirements of SP 800-53 to enhance the specificity of existing controls. This consolidation allows for a clearer understanding of the controls and simplifies compliance efforts for organizations.

For example, a requirement in Rev. 2 addressing Media Protection directed contractors to prohibit the use of portable storage devices without an identifiable owner. In Rev. 3, this requirement has been folded into the existing requirement for Media Use, which now allows organizations to either restrict or prohibit the use of organization-defined removable system media. This consolidation and reorganization of requirements aim to streamline compliance efforts and improve the overall effectiveness of the framework.

Organization-Defined Parameters (ODPs)

Rev. 3 introduces a new concept called Organization-Defined Parameters (ODPs). While already used in NIST SP 800-53, ODPs are now incorporated into 53 of the 110 Security Requirements in Rev. 3. These parameters allow organizations to define specific elements of a requirement based on their own risk assessment and security needs.

For instance, in the Access Control requirement, Rev. 2 simply stated to limit unsuccessful logon attempts. In Rev. 3, this requirement includes ODPs, specifying that organizations should limit the number of consecutive invalid logon attempts by a user within an organization-defined time period. This addition of ODPs enhances flexibility in meeting the requirements while ensuring that organizations address the specific security needs of their systems.

Encryption Is Now an ODP

The use of encryption to protect the confidentiality of CUI has always been a critical requirement. However, Rev. 3 introduces an ODP approach to encryption, providing organizations with the flexibility to choose the types of cryptography that best suit their needs. Previously, Rev. 2 mandated the use of FIPS-validated cryptography. However, based on feedback received during the comment period, NIST has revised this requirement.

In Rev. 3, organizations are now required to implement organization-defined types of cryptography to protect the confidentiality of CUI. This change allows organizations to tailor their cryptographic solutions based on their risk assessments and specific security requirements. While this flexibility is welcomed, organizations should ensure that their chosen cryptography aligns with industry best practices and provides an adequate level of protection.

Policies and Procedures Are Required

Another significant change in Rev. 3 is the explicit requirement for organizations to establish and maintain policies and procedures. While previous versions of SP 800-171 assumed the existence of these policies and procedures, Rev. 3 now mandates their implementation. This change aims to ensure that organizations have documented processes and guidelines in place to support their cybersecurity programs.

Organizations should review their current policies and procedures to ensure they align with the new requirements. This includes policies and procedures for each security family, rules of behavior, and acceptable use policies. Additionally, organizations should ensure that external system service providers comply with their security requirements, as this is now explicitly stated in Rev. 3.

Software Producers and MSPs Beware

With the increasing reliance on software and managed service providers (MSPs), Rev. 3 addresses the need to manage supply chain risks and ensure the security of system components. The new requirements in Rev. 3 include a focus on supply chain risk management and the development or acquisition of new system components.

These additions align with the growing concerns around software vulnerabilities and the need to ensure the integrity of the supply chain. Organizations should be prepared to assess and mitigate supply chain risks and consider the inclusion of software and firmware development processes in their cybersecurity programs. Stay informed about upcoming rules and regulations, such as Software Bills of Materials, to ensure compliance with the evolving cybersecurity landscape.

Navigating the Changes: A Proposed Approach

With the release of the Rev. 3 draft, organizations must understand the changes and begin planning for their adoption. To effectively navigate the modifications, a systematic approach can be employed:

  1. Review the Change Analysis: NIST has provided a change analysis document that highlights the differences between Rev. 2 and Rev. 3. Start by reviewing this document to gain an understanding of the key changes.
  2. Identify Significant Changes: Focus on the requirements that have been identified as significant changes in the change analysis document. These changes may require more attention and adjustment in your cybersecurity program.
  3. Assess Existing SSPs and SPRS/800-171A Assessments: Evaluate your existing System Security Plans (SSPs) and Security and Privacy Requirements Scoping Tool (SPRS)/800-171A Assessments to determine if they are prepared for the pending changes. Identify any gaps and develop a plan to address them.
  4. Implement Organization-Defined Parameters: Take advantage of the flexibility offered by ODPs. Assess your organization’s risk tolerance and define parameters that align with your specific needs. Ensure that your SSPs reflect these defined parameters.
  5. Address Supply Chain Risk Management: Review your supply chain management processes and identify areas that require improvement to mitigate supply chain risks. Consider the inclusion of software and firmware development processes in your cybersecurity program.
  6. Update Policies and Procedures: Review and update your policies and procedures to align with the explicit requirement in Rev. 3. Ensure that you have documented processes for each security family, rules of behavior, and acceptable use policies.
  7. Prepare for Independent Assessments: Start planning for independent assessments of your control implementation. This includes conducting internal audits or engaging independent resources to assess compliance with the requirements.
  8. Maintain Awareness of Updates: Stay informed about the progress of Rev. 3 and the finalization of the framework. Monitor official guidance from NIST and other relevant authorities to ensure ongoing compliance with the latest requirements.

The Impact on DoD’s Cyber Initiatives

Many organizations wonder how the release of Rev. 3 will affect the DoD’s CMMC program and related efforts. DFARS 252.204-7012 requires contractors to comply with the current version of NIST SP 800-171. This means that, theoretically, contractors could be required to comply with Rev. 3 once it is finalized.

To address this potential scenario, DoD is expected to issue guidance outlining the phased implementation of Rev. 3’s requirements across the defense supply chain. This guidance will help contractors align their compliance efforts accordingly. While some coordination challenges may arise, it is crucial for organizations to adapt to the changes and ensure compliance with both Rev. 3 and existing requirements to avoid any conflicts.

How vCISO Services Can Help

As the changes introduced in Rev. 3 become a reality for organizations, seeking assistance from experienced professionals can alleviate the burden of compliance. Atlantic Digital, a leading provider of vCISO services, offers expertise in navigating the complexities of cybersecurity frameworks like NIST SP 800-171.

With Atlantic Digital’s vCISO services, organizations can benefit from strategic guidance and support in implementing the necessary changes to meet Rev. 3’s requirements. Their team of dedicated professionals can assess your current cybersecurity program, develop tailored solutions, and provide ongoing advisory services to ensure ongoing compliance.

Conclusion

As organizations brace themselves for the release of NIST SP 800-171 Rev. 3, it is crucial to understand the proposed changes and their implications. The consolidation of requirements, the introduction of ODPs, and the emphasis on supply chain risk management reflect the evolving cybersecurity landscape.

By staying informed, conducting thorough assessments, and seeking support from experts like Atlantic Digital, organizations can navigate the complexities of Rev. 3 and ensure the continued protection of sensitive information. Embrace the changes, adapt your cybersecurity programs, and embrace the opportunity to enhance your security posture in the face of evolving threats.

Additional Information: Atlantic Digital can help as these changes become reality for your organization with our vCISO services. With our expertise and comprehensive approach, we can guide your organization through the complexities of NIST SP 800-171 Rev. 3 and ensure compliance while enhancing your overall cybersecurity posture. Contact us today to learn more about how our vCISO services can support your organization.