New Update to NIST 800-171 (Revision 3) Coming Soon…

The next update to NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” is expected to be released in late Spring or early Summer of this year. NIST SP 800-171 is the source for contractor security requirements in Department of Defense regulations and the Cybersecurity Maturity Model Certification (CMMC) program.

An initial public draft of SP 800-171, Revision 3, is expected soon. Based on the feedback from the pre-draft call for comments from July of 2022 and ongoing NIST research efforts, significant updates are anticipated. According to NIST, one major update is that the Standard will align requirements with NIST SP 800-53, Revision 5, and include an overlay of CUI security requirements to NIST SP 800-53. The update includes other significant changes aimed at improving cybersecurity and protecting against emerging threats.

One of the key changes in Revision 3 that will help with the 800-53 alignment is the addition of new controls to address supply chain risks, including requirements for organizations to assess and monitor their suppliers’ security practices. This is a critical area, as vulnerabilities in the supply chain can be exploited to gain access to all sensitive data.  Details from the NIST announcement include the following potential changes:

  • Streamlining the Introduction and Fundamentals sections of the document
  • Withdrawing requirements that are either outdated, no longer relevant, or redundant
  • Reassigning some of the Non-Federal Organization (NFO) controls to the CUI, NCO, or FED tailoring categories
  • Adding new requirements based on changes to the NIST moderate control baseline in SP 800-53B and the reassignment of selected NFO controls
  • Changing the wording of selected requirements to achieve greater clarity and consistency with the controls in NIST 800-53
  • Combining requirements where appropriate for greater efficiency
  • Adding organizationally-defined parameters to selected requirements to achieve greater specificity of control requirements
  • Updating the discussion sections for individual requirements
  • Updating the supplemental information for individual requirements with additional technical references and mappings to SP 800-53, Revision 5 controls
  • Revising the structure of the ReferencesGlossary, and Acronyms sections for greater clarity and ease of use
  • Revising the tailoring and mapping tables in Appendix C and Appendix D, respectively, for consistency with the changes in the Requirements section
  • Adding a CUI Overlay appendix using the controls from SP 800-53, Revision 5, and the tailored moderate baseline from SP 800-53B

BSC Systems was one of the first approved CMMC Registered Practitioner Organizations and has been performing NIST 800-53 reviews for the Federal Government and commercial sector for over 15 years.  We are uniquely qualified to help your organization adapt to these new requirements and can provide excellent references supporting our track record of success. Contact us if you need an 800-171 or 800-53 Assessment, documentation support or calculation of your NIST 800-171 SPRS score.