On November 9th 2023 National Institute of Standards and Technology, NIST, released special publication 800-171 Revision 3 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations as a Final Public Draft. Both the full draft and accompanying assessment methodology were released together. The public comment period runs from November 9th to Jan 24th and comments can be submitted to [email protected]
While many in the Defense Industrial Base (DIB) wonder how Revision 3 will impact their compliance, the DIB should really stay focused on NIST 800-171 Revision 2. Revision 3 changes nothing for the foreseeable future. Any contractor with a DFARS 7012 clause in their contract today is required to meet NIST 800-171r2. We’ll keep you updated as things progress.
Background
As a refresher, NIST is responsible for developing information security requirements including the minimum safeguards for protecting the confidentiality of CUI in nonfederal systems and organizations. Specifically NIST 800-171 focuses on components that store, process, transmit CUI or provide protection for such components. The security requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and non-federal organizations.
For its part, the DOD has adopted NIST 800-171r2 in DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting regulations. DFARS 7012 requirements have been in effect since December 2017.
NIST 800-171r3 – Where less truly is more
Currently NIST 800-171r2 consists of 110 controls which must be met to achieve compliance. Under the NIST 800-171r3 the number of controls has dropped to 95. However it is important to note that controls are only met by satisfying all of the assessment objectives related to each control. Under 800-171r2 there are 320 assessment objectives that must be satisfied to meet the 110 controls. Under 800-171r3 however there are 390 assessment objectives that must be satisfied to meet the 95 controls. Some of the the controls from Revision 2 were folded into other controls in Revision 3. But, while there are fewer controls in Revision 3, the assessment will be more rigorous as you have over 20% more assessment objectives to meet.
This challenge is clear to see when we take the very first control for example, 3.1.1. Under r2 there are six Assessment Objectives (AO)s to meet while under r3 there are 22 AOs to meet. So while r3 was slimmed down in number of controls there are more AOs that must be met to achieve 100% compliance.
The NIST 800-171r3 Timeline
NIST 800-171r3 was released on November 9th 2023 with a public comment period until Jan 24th 2024. From there NIST will adjudicate the comments and respond publicly to all comments and make revisions as needed. NIST has stated that they expect 800-171r3 Final release to occur in Spring 2024.
What is the impact of NIST 800-171r3 on CMMC?
The question on everyone’s mind is how will 800-171r3 impact CMMC level 2 which is in proposed rule status at the Office of Management and Budget (OMB). The release of CMMC proposed rule is imminent and at this time we expect CMMC level 2 to fall under 800-171r2.
What should we do now?
As it stands today, existing contracts are regulated under DFARS 7012. Both DFARS and the future CMMC will likely require NIST 800-171r2. Additionally contractors are required to be compliant with the version of NIST that is in effect at the time of solicitation. That means current contracts will require NIST 800-171r2 for the foreseeable future. Revision 3 may begin to impact new solicitations once it is released in final form.
Given 800-171r3 is still in draft format and we don’t have the final CMMC rule our recommendation is to focus on existing obligations under DFARS 7012 and 800-171r2