Hollywood is full of them. And unless you are trapped on the Planet of the Apes, caught on the 3:10 to Yuma, or running from Godzilla, you’ve probably seen a movie reboot or two over the past two decades. The term generally refers to the new start of a known fictional universe where established continuity is discarded to re-create that series’ characters, plotlines, and backstory from the beginning. Thankfully—and I’m looking at you, CMMC—that is a trend that appears to be confined to the entertainment industry and not one that will be adopted in federal contractor cybersecurity. To be sure, on May 10, 2023, the National Institute of Standards and Technology (NIST) released for review and comment a draft of Revision 3 of its Special Publication (SP) 800-171, Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations. Not only is NIST seeking comments via email no later than July 14, 2023, on Rev. 3, it has even provided a comment template to help with that effort. Let’s get into some of those key changes to demonstrate how Rev. 3 is more of a sequel than a reboot.
Origin Stories: Why the Changes?
Back in December of 2016, NIST SP 800-171 was created as a derivative of controls and requirements found in Federal Information Processing Standard (FIPS) 200, Minimum Security Requirements for Federal Information and Information Systems, and the moderate security control baseline in NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations. Its purpose was simple: “to provide federal agencies with recommended security requirements for protecting the confidentiality of CUI when the CUI is resident in a nonfederal system and organization; when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government [-] wide policy for the CUI category or subcategory listed in the CUI Registry.” Accordingly, NIST SP 800-171 was, first, a progeny of its foundation publications and, second, a product of its time and era. Accordingly, as we learned more and refined the security controls resident in SP 800-53, now in its fifth revision, so too has NIST SP 800-171 evolved and grown.
Elevated Action: What’s Changed?
Let’s go over the main plot points contractors should know about Rev. 3:
- Enhanced Clarity and Specificity: A key revision of Rev. 3 was the elimination of the distinction between “Basic” and “Derived” security requirements. In prior versions, the distinction stood as a bookmark for the Basic Requirements from FIPS 200 and the Derived Requirements from NIST SP 800-53. While each had to be separately met, NIST recognized a better solution would be simply to rely on the requirements of 800-53 to enhance the specificity of existing controls. Accordingly, many of the previous “Derived” requirements have been folded into existing requirements to enhance the clarity of the control. For example, the requirement found at Rev. 2 addressing Media Protection at 3.8.8 directed that contractors “[p]rohibit the use of portable storage devices when such devices have no identifiable owner.” Like many “Derived” requirements, that one was “Withdrawn” and folded into Rev. 3’s 3.8.7, which now states:
Media Use
a. [Selection: Restrict; Prohibit] the use of [Assignment: organization-defined removable system media].
b. Prohibit the use of portable storage devices when such devices have no identifiable owner.
- Organization-Defined Parameters (ODPs): New to NIST SP 800-171 (but used throughout NIST SP 800-53), the ODPs allow contractors to “call their shots”—or insist that they do so—in addressing certain security requirements. For example, Rev. 2 of the Access Control requirement 3.1.8 stated, simply, “Limit unsuccessful logon attempts.” The Rev. 3 version of 3.1.8 now includes an ODP and requires: “Limit the number of consecutive invalid logon attempts by a user to [Assignment: organization-defined number] in [Assignment: organization-defined time period].” In this example, contractors must identify (1) how many logon attempts are permitted over (2) a certain period of time. There are ODPs in 53—nearly half—of Rev. 3’s 110 Security Requirements. While this addition allows more flexibility, it also ensures that contractors understand and are able to address the specific requirements in their system security plans (SSPs). It also gives auditors a self-imposed metric to measure contractors against.
- Encryption Is Now an ODP: In the November 1, 2022 Pre-Draft Call for Comments: NIST CUI Series Analysis of Public Comments, it was expressly identified that most commenters chose to address the requirements of Rev. 2 Requirement 3.13.11, which directed that CUI holders “Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.” NIST vowed to “balance stakeholder concerns with appropriate countermeasures to protect the confidentiality of CUI,” and it looks like they did just that. The Rev. 3 version states that CUI holders must “[i]mplement the following types of cryptography when used to protect the confidentiality of CUI: [Assignment: organization-defined types of cryptography]” and allows contractors to identify the appropriate cryptography. It remains to be seen whether there is or could be a “wrong answer” to this ODP, but the flexibility will be a welcome relief for many.
- Policies and Procedures Are Required: For years we have been informing clients to examine the “Tailoring Requirements” found in Tab E of Revs. 1 and 2 so that they recognize NIST SP 800-171 is built on over 50 assumptions. Labeled as “Nonfederal Organization” (NFO), these assumptions were identified as not being included in NIST SP 800-171 because they were “[e]xpected to be implemented by nonfederal organizations without specification.” They included areas such as (i) policies and procedures for each of the security families, (ii) the establishment of system rules of behavior/acceptable use policies, and (iii) ensuring external system service providers (such as Managed Service Providers (MSPs)) comply with organization security requirements. Those policies and procedures are no longer assumed; they are directed. While Rev. 3’s Appendix C still retains “Tailoring Criteria” describing why certain NIST SP 800-53 controls/families are not included in NIST SP 800-171, there are far fewer assumptions upon which Rev. 3 is built.
- Software Producers and MSPs Beware: Conforming to the Controls found in NIST SP 800-53, Rev. 5, the security requirements in Rev. 3 also addresses “Supply Chain Risk Management” in newly adopted requirements 3.17.1 through 3.17.4. Seemingly knowing which way the [solar] winds are blowing, the new requirements are intended to focus contractors on all aspects of the supply chain, including the “software and firmware development processes.” Similarly, the inclusion of the “System and Service Acquisition” family not only dovetails into software security through the application of systems security engineering principles, but also addresses the growing presence of managed service providers in the contractor cybersecurity space. With pending rules and regulations addressing Software Bills of Materials, the Internet of Things, and the as-yet-unknown application of CMMC, It is clear that NIST has developed Rev. 3 to address the requirements that are peeking over the horizon.
Playing Catch-Up: Where Do I Look?
Keeping up with all the shows and sequels is hard. Unless you’re into marathon binge sessions, it may require a YouTube recap or some other viewer-friendly highlight reel to get you up to speed. As it happens, Rev. 3 comes with its very own “Change analysis” recap to help orient contractors on the changes, and it’s one that we highly recommend. For those already neck-deep in 800-171 compliance efforts, here’s how we’d recommend attacking Rev. 3:
- Open the link, enable editing, and go to the second Tab, “Change Analysis Rev2-IPD Rev 3.”
- Hide Columns B, E, and F. They are mostly superfluous for this effort, and you’ll want some space.
- Filter on Column I, “No Significant Change,” to “Select All”.
- This opens up the full scope of all the requirements, new and old.
- Now HIDE Column I.
- Filter on Column J, “Significant Changes.”
- You’ll find 49 rows of “significant changes,” spanning all Control Families.
- Compare the Rev. 2 Security Requirements in Column D against the Rev. 3 Security Requirements in Column H.
- Note that many of these “Significant Changes” address the new ODPs that allow contractors to define elements of the particular requirement or demand that they do so.
- Assess whether/how your existing SSP and SPRS/NIST SP 800-171A Assessments are prepared for the pending change.
- Now undo the Filter on Column J with a “Select All.”
- Filter on Column K, “Minor Changes.”
- There are 18 “Minor Changes” premised mainly on updates to NIST SP 800-53.
- Many of these “Minor Changes” are a result of the elimination of the “Basic” and “Derived” security requirements distinction and will require a little more specificity in existing SSPs and SPRS/800-171A Assessments.
- Now undo the Filter on Column K with a “Select All.”
- Filter on Column M, “New Requirements.”
- There are 24 “New Requirements”* based on changes to SP 800-53 Rev. 5 and the directions to create a “Policy and Procedure” for each requirement.
*3.15.1 and 3.15.3 are erroneously included twice, messing up NIST’s count.
- The new “Planning” (3.15), “System and Services Acquisition” (3.16), and Supply Chain Risk Management (3.17) families are also represented.
- Addressing these new requirements and families will take planning. Ensure your enterprise understands the obligations they impose; examine whether you wish to make a comment on these new inclusions.
- Now undo the Filter on Column M with a “Select All.”
- Filter on Column N, “Withdrawn Requirement.”
- There are 26 purported “Withdrawn Requirements”—BE CAREFUL.
- Understand why the Requirements are “withdrawn,” as most were incorporated into other Requirements, so they’re not really “gone.”
- Only two were fully withdrawn. Another two were recategorized or deemed “Technology-specific.”
- Ensure your SSP and SPRS/800-171A Assessments are prepared to assimilate all the requirements that were incorporated into other Requirements.
- Now undo the Filter on Column M with a “Select All.”
- Finally, REMEMBER REV. 3 IS A DRAFT. Review and evaluate your present state against where NIST may be leading you in the near term. Prepare for that eventuality, but don’t make changes yet. Wait for the draft to be finalized. If you have an issue with any of the changes, you have until July 14, 2023, to voice your concerns. Thereafter, you’re stuck with the changes, and you should expect to see and respond to the requirements in the final version of NIST SP 800-171 Rev. 3 in future Department of Defense contracts . . . and maybe beyond.