Arm me with harmony.” – Treach, Naughty By Nature[1]

On May 14, 2024, the National Institute of Standards and Technology (NIST) dropped the third remix…er, revision…of its Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” It even came with a critical sidekick in the form of the companion assessment guide, “NIST SP 800-171A, Revision 3,” which gives organizations the necessary lowdown on “assessment procedures and methodologies” to check if they’re playing by NIST SP 800-171’s rules. Over a year in the making after previous releases in May and November of 2023, NIST’s finalized revision takes inspiration from industry by laying down the cybersecurity rules that contractors should expect to follow when handling Controlled Unclassified Information (CUI) for the US Department of Defense (DoD). While DoD isn’t requiring contractors who handle CUI to roll with Rev. 3 just yet, contractors can expect that DoD will eventually bring Rev. 3 into the mix for DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting” (DFARS 7012), and will be harmonizing it with the upcoming Cyber Maturity Model Certification (CMMC) program at some point soon.

While there are some specific technical details in Rev. 3 that contractors need to recognize (like tightening its security controls from 110 and 97), the real game changer will be found in the 88 Organizational Defined Parameters, or ODPs. By leaving these effective “blanks” in 800-171, NIST is recognizing that not all data (or its accompanying risk) should be treated the same. But these ODPs might cause some head-scratching and, more importantly, uncertainty about the exact standards a contractor needs to meet for a specific customer, contract, or maybe even order.

At its most basic, the so-called flexibility of ODPs is intended to inure to the benefit of the government, not the contractor. Notably, as reflected in the Rev. 3 FAQs: “The determination of ODP values can be guided and informed by laws, Executive Orders, directives, regulations, policies, standards, guidance, or mission and business needs. If a federal agency or consortium of agencies do not specify a particular value or range of values for an ODP, nonfederal organizations must assign those values to complete the security requirement.” Translation: The agency will be identifying which ODPs matter for its award. The challenge, however, is that there is no requirement that these choices be uniform. Meaning they need not align with (a) what other contracts have picked; (b) what other departments have picked; (c) what other agencies have picked; (d) what you’ve picked; (e) all of the above; (f) none of the above.

This uncertainty is a problem, especially since these 88 ODPs are resident in more than half (49) of the now 97 NIST SP 800-171 Rev. 3 security requirements that contractors are required to meet. That’s a significant number of gaps that need to be regularly addressed and filled. Moreover, the scope and breadth of these ODPs are expansive. Appendix D to Rev. 3 breaks it down by listing all the ODPs by family and showing the large mix of agency “choices” that might come into play. This list includes some serious and precise differences, like:

  • Additional actions
  • Authorities
  • Characteristic identifying individual status
  • Circumstances
  • Circumstances or situations requiring re-authentication
  • Composition and complexity rules
  • Conditions or trigger events requiring session disconnect
  • Conditions requiring rescreening
  • Devices or types of devices
  • Events or potential indications of events
  • Exceptions where remote activation is to be allowed
  • Frequency
  • Functions, ports, protocols, connections, and/or services
  • Granularity of time measurement
  • Numbers
  • Personnel or roles
  • Requirements for key establishment and management
  • Response times
  • Security functions
  • Security requirements
  • Security-relevant information
  • System configurations
  • Systems security engineering principles
  • Time period
  • Types of cryptography
  • Types of system media

Suffice it to say, that’s a ton of variables for a so-called standard. It’s even more challenging when you break down and spotlight some of the specific ODPs. For example:

Requirement 03.06.02 – Incident Monitoring, Reporting, and Response Assistance

  • Leaves unspecified both (1) the timing and (2) the identity of reporting a cyber-incident
    • This variance impacts the ability of contractors to have a robust incident response plan and may require multiple iterations.

Requirement 03.05.07 – Password Management

  • Leaves unspecified how often compromised passwords are to be checked and the complexity/composition rules for password usage
    • This variance will impact acceptable use policies and fundamental network access protocols.

Requirements 03.13.10 and 13.11 – Cryptographic Key Establishment and Management/Cryptographic Protection

  • Leaves unspecified how cryptographic keys are to be generated/stored, as well as forgoing a government-wide cryptography mandate (although FIPS-validated is “recommended”)
    • While NIST SP 800-171 only tangentially addresses data integrity, variance in acceptable or directed cryptologic regiments could wreak havoc on contractor networks.

While these are just a few of the ODPs that NIST SP 800-171 Rev. 3 includes, their significance demonstrates the network and procedural chaos that may ensue absent some form of agency uniformity. The spread and presence of ODPs throughout the 800-171 security families vary widely, but the only family without ODPs is, ironically, 3.7, Maintenance.

In the end, the presence of ODPs calls for agencies to lay down a common directive addressing ODPs for contractors handling or possessing CUI. While this might shift a bit based on the nature of the CUI (regular controls [-171] vs. enhanced controls [-172], for example), normalizing or standardizing an agency approach to ODPs is critical, even if that approach is a blanket understanding that ODPs are solely left to the contractor’s discretion.

                While NIST SP 800-171 Revision 3 makes things easier in some ways, the ODPs could still make it harder for contractors to hit agency standards. Even though ODPs bring that needed flexibility, they still mean a heavy lift for both agencies and contractors to fill in those “Mad Lib” blanks. Whether this can actually go down in a world where CUI is often misunderstood and the ghost of CMMC haunts everyone is still up in the air. But that track ain’t dropped yet.

Break it down.” – Treach, Naughty By Nature

* Note: The author would like to add that this blog article was originally written alongside an accompanying parody of the Naughty By Nature song “OPP.” Although in the appropriate meter and replete with topically adjusted lyrics, the song and thematic jargon was forfeit to better serve the ease of readership…but it was dope.