NIST Releases Draft 800-171 Rev 3
NIST Special Publication 800-171 is the guide that all defense contractors must follow for protecting controlled unclassified information. It has been around since 2015 and has gone over several revisions. Revision 3 is the most recent and NIST has released the “initial public draft”.
Expect a final draft this fall and a released version in the winter.
CMMC is the Defense Department’s third party assessment standard for contractor compliance with this standard. CMMC requires contractors to comply with the then current version of 800-171 at the time a contract is signed.
This means that subject to any transition period, if revision 3 is released in, say, February 2024 and you receive a new contract with CMMC requirements in it in March, the version of 800-171 you are certifying you are complying with by accepting the contract is revision 3.
In addition to the Pentagon, other folks use 800-171. This includes Homeland Security, the Department of Education, the Canadian military, the Australian military and others.
We have also seen other commercial entities require it. After all, if the security from 800-171 is good enough for the military and their contractors from 3 different countries, it is probably good enough for most commercial businesses.
For those of you familiar with 800-171, here is a high level summary of the changes:
They managed to stay with roughly the same 110 controls, but they did that by combining a bunch of requirements. They also added three new control families, two of which which will require significant work by contractors to comply with – systems & service acquisition and supply chain risk management. Both of these are designed to make sure that you have your arms around third party risk management.
By one reviewer’s count, here are the statistics:
- 18 controls with no significant change
- 49 controls with significant change
- 18 controls with minor changes
- 26 new requirements
- 27 withdrawn requirements
- 53 new organization-defined parameters
Before you run screaming from the room, this all builds on what you have done. A lot of the changes are reorganizing things. But there are also some new things that were not there before.
The also did a major overhaul on appendix E. From the chart below, you can see those changes.
Appendix E had 60+ controls that the government expected contractors to comply with without being told (called NFO controls). Now, most of those are explicit in the new version since contractors were not doing those things that they were not being graded on. ONE OF THE NEW REQUIREMENTS THAT USED TO BE IN APPENDIX E AND IS NOW IN THE CORE DOCUMENT IS A FULL SET OF POLICIES AND PROCEDURES. You will notice that even though NIST says there are still 110 controls, notice that the CUI requirements alone went up from 125 to 168. 110 controls is a concept.
Another thing they have done is reformatted the document. It used to be that you had to flip back and forth to understand what they expected and also figure out where the requirements came from. Now that is all in one place – see below.
They have also done some prep work for future versions, including a better alignment with its parent document, NIST SP 800-53B Rev 5. For example, they have added organizational defined parameters, which makes it closer to 800-53, but makes your life harder since you could have two contracts with conflicting ODPs that you have to negotiate your way through.
This also includes a new 800-171 CUI overlay which they say will make life easier when 800-53 Rev 6 comes out. The jury is still out on that, but I have my fingers crossed.
There is a lot to grasp here; you will likely need help getting your arms around it. Please contact us for assistance. Also, since this is only draft one, stay tuned for future blog posts.
Here are some reference documents:
FAQ: https://csrc.nist.gov/files/pubs/sp/800/171/r3/ipd/docs/sp800-171r3-ipd-faq.pdf
Webinar with Dr. Ron Ross, creator of 800-53 and 800-171 and a NIST fellow: https://csrc.nist.gov/Events/2023/protecting-cui-draft-sp800171-rev3
NIST SP 800-171 Rev3: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r3.ipd.pdf