NIST 800-171 Rev 3: what you need to know

On May 10, 2023, the draft of NIST 800-171 Rev 3 was published for comment. Comments are expected by July 14, 2023.

As a reminder, NIST 800-171 is the reference standard for the protection of Controlled Unclassified Information (CUI). It is required for U.S. government contractors and subcontractors.

Compared with Revision 2, the new NIST 800-171 Rev 3 brings some changes.

In this article, we'll look at the changes made in NIST 800-171 Rev 3.

NIST 800-171 Rev 2 has 14 domains

NIST 800-171 Rev 2 is the version currently in force. It will remain so until NIST 800-171 Rev3 is officially adopted.

NIST 800-171 Rev 2 is made up of 14 cybersecurity domains. For details of these domains, please consult this link.

NIST 800-171 Rev 3 expands to 17 domains

In addition to the 14 domains of NIST 800-171 Rev 2, Revision 3 introduces 3 new domains, bringing the total number of domains to 17.

The 3 new domains are:

  • Cybersecurity planning
  • Systems and services procurement
  • Supply chain management

The total number of NIST 800-171 controls remains unchanged (110).

Sp 800 171

NIST 800-171 Rev 3: removal of obsolete and redundant safety requirements

NIST 800-171 Rev 3 clarifies and eliminates requirements that are currently obsolete or redundant. Thus, 10 of the 14 areas of NIST 800-171 Rev 2 have been updated (new safety controls added or removed).

The areas that have been adjusted are as follows:

  • Access control: 5 security controls deleted, 1 added
  • Configuration management: 1 security control removed
  • Identification and authentication: 1 control added, 4 deleted
  • Maintenance: 3 controls removed
  • Media protection: 2 controls removed
  • Physical and environmental security: 3 controls deleted, 2 added
  • Risk assessment: 1 control deleted, 1 added
  • Security assessment and monitoring: 1 control deleted, 3 added
  • Systems and communications protection: 4 controls deleted, 2 added
  • Integrity of information and systems: 3 controls deleted, 1 added

As you can see, NIST 800-171 Rev 3 is quite different from Rev 2.

If you are a supplier to the US government and are currently compliant with NIST 800-171 Rev 2, expect to be asked to comply with NIST 800-171 Rev 3 in the coming years.

Introducing a new concept: Organization-defined parameters (ODP)

One of the new changes of NIST 800-171 Rev 3 is the introduction of organization-defined parameters (ODP) in certain security requirements, to increase flexibility and help organizations better manage risk.

For example, in the Access Control domain of NIST 800-171, control 3.1.8 states that user accounts must be locked after X number of failed login attempts. If you decide to set your X number to 10, this value becomes an ODP and is de facto considered an integral part of control 3.1.8.

Enforcement of NIST 800-171 Rev 3

NIST 800-171 Rev 3 has not yet been enforced. You should stick to version 2, as there are still a number of steps to be taken before Rev 3 becomes effective.

  • A call for public comments was launched on May 10, 2023. Comments are expected by July 14, 2023.
  • From July 14, comments will be taken into account by NIST.
  • The final version of NIST 800-171 Rev 3 is scheduled for Q2 2024 (estimate).

Note: there may be additional delays. Please note that until the new NIST 800-171 Rev 3 is officially in force, you are bound by Rev 2.

Ist Image 2

Start getting ready

Although you shouldn't start implementing NIST 800-171 Rev 3 requirements just yet, we suggest you start assessing the impact of these changes, so that you're ready when the time comes.

Impact on CMMC 2.0

Since CMMC is based on NIST 800-171 Rev 2, when Rev 3 comes into force, changes will inevitably be made to CMMC. However, this change will not take place in the short term, as not only will NIST 800-171 Rev 3 still take some time to finalize, but there will also be a transition phase.

So consider that there is no impact on CMMC at present, and that no changes are planned for the coming months.

If you are asked to comply with NIST 800-171, focus on NIST 800-171 Rev 2.

Evaluate your readiness for CMMC 2.0 or NIST 800-171 compliance

We've created a form to help you assess your level of readiness for CMMC 2.0 or NIST 800-171 compliance.

How can StreamScan help you?

StreamScan is a CMMC Registered Provider Organization (RPO) and is officially authorized to support organizations in their CMMC process.

As a CMMC RPO, Streamscan is constantly informed of the evolution of CMMC and NIST 800-171. We ensure that our customers always have the right information, and support them in the transition to new versions.

Our cybersecurity experts are available to support you in your CMMC or NIST 800-171 compliance process. We regularly help organizations determine and submit their SPRS score to the US Department of Defense (DoD).

For more details on our CMMC and NIST 800-171 service, visit this link.

 

CTA Newsletter