“Arm me with harmony.” – Treach, Naughty By Nature[1]
On May 14, 2024, the National Institute of Standards and Technology (NIST) dropped the third remix…er, revision…of its Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” It even came with a critical sidekick in the form of the companion assessment guide, “NIST SP 800-171A, Revision 3,” which gives organizations the necessary lowdown on “assessment procedures and methodologies” to check if they’re playing by NIST SP 800-171’s rules. Over a year in the making after previous releases in May and November of 2023, NIST’s finalized revision takes inspiration from industry by laying down the cybersecurity rules that contractors should expect to follow when handling Controlled Unclassified Information (CUI) for the US Department of Defense (DoD). While DoD isn’t requiring contractors who handle CUI to roll with Rev. 3 just yet, contractors can expect that DoD will eventually bring Rev. 3 into the mix for DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting” (DFARS 7012), and will be harmonizing it with the upcoming Cyber Maturity Model Certification (CMMC) program at some point soon.Continue Reading NIST SP 800-171 Revision 3 Goes Final: Who’s Down with ODP?