Photo of Michael G. Gruden, CIPP/GPhoto of Evan D. WolffPhoto of Maida Oringher LernerPhoto of Kate GrowleyPhoto of Nkechi KanuPhoto of Jacob HarrisonPhoto of Alexis Ward

On November 9, 2023, the National Institute of Standards and Technology (“NIST”) released the Final Public Draft (“FPD”) of Special Publication (“SP”) 800-171 Revision (“Rev.”) 3, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” and the Initial Public Draft of NIST SP 800-171A Rev 3, “Assessing Security Requirements for Controlled Unclassified Information.”  The FPD of SP 800-171 Rev. 3 condenses several control requirements from the initial public draft while adding new requirements under existing controls.  The initial draft of SP 800-171A now aligns with SP 800-171 Rev. 3 and includes more detailed assessment procedures than its predecessor.  Changes in both documents forecast the evolving compliance requirements for organizations required to safeguard Controlled Unclassified Information (“CUI”).

Key Changes Between Initial and Final Published Drafts of NIST SP 800-17 Rev. 3

The FPD of NIST SP 800-171 Rev. 3 implements the following notable changes from the initial public draft. 

Removal of Controls

NIST removed the following controls in the FPD that were introduced in the initial draft:  3.1.23 Account Management – Inactivity Logout, 3.9.3 External Personnel Security, 3.11.4 Risk Response, 3.12.5 Independent Assessment, 3.12.7 Internal System Connections, 3.13.17 Internal Network Communications Traffic, 3.13.18 System Access Points, and 3.17.4 Component Disposal.  NIST also withdrew three existing security controls: 3.4.9 User-Installed Software, 3.13.3 Separation of System and User Functionality, and 3.13.7 Split Tunneling, determining that these were addressed by other controls.  

Combining of Controls

NIST incorporated the requirements from the following security controls into existing controls in the FPD:  1.23 Account Management – Inactivity Logout incorporated into 3.1.20 Use of External Systems, 3.2.3 Advanced Literacy Training incorporated into 3.2.1 Literacy Training and Awareness, and 3.3.9 Audit Information Access incorporated into 3.3.8 Protection of Audit Information.

Control Changes

NIST revised a handful of controls in the FPD, including: 

    • 12.1 Control Assessments changed to 3.12.1 Security Assessments, which changed the focus of the requirement from ensuring security controls are in place to ensuring adequate security.
    • 14.18 Spam Protection changed to 3.14.8 Information Management and Retention, which essentially withdrew the Spam Protection control and instead now requires CUI to be handled in accordance with other laws, executive orders, regulations, and guidelines.
    • 16.1 Security Engineer Principles changed to 3.16.1 Acquisition Process and now requires organizations to define security requirements they will include in any acquisition contract for a system, system component, or system service.

Decreased ODPs

The FPD removes many organization-defined parameters (“ODPs”) included in the initial draft.  ODPs are undefined requirements that individual agencies can customize by specifying values for the designated parameters.  The FPD replaces ODPs with more general descriptions or terms.  For example, many controls that required an action or activities to occur within a defined time period now require them to occur “periodically.”  Similarly, the FPD replaced control language that previously required the organization to define a specific person or role within the company, with generic terms such as “organizational personnel or roles.”  See Control 3.1.1 (g) Account Management. 

Additional Requirements Under Controls

Changes to certain controls now require additional action from organizations.  For example, under 3.5.7 Password Management, organizations must now maintain a list of commonly-used or compromised passwords and verify that those passwords are not used whenever users create or update passwords.  Other new requirements include checking media containing diagnostic and test programs for malicious code, documenting interface characteristics, security requirements, and responsibilities for each system exchanging CUI, including additional components within the System Security Plan (“SSP”), and protecting the SSP and Supply Chain Risk Management Plan from unauthorized disclosure. 

Highlights of 171A Revision 3 Draft

NIST SP 800-171A provides organizations with the assessment procedures and methodology to conduct assessments of the security controls outlined in NIST SP 800-171.  The procedures are used to conduct self-assessments, independent third-party assessments, and government assessments. 

While the initial draft is only the second iteration of NIST SP 800-171A, this version will be called Rev. 3 to align with the SP 800-171 revision.  NIST made several key changes to 171A, such as aligning procedures with NIST SP 800-53A formatting and including ODP assessments. 

The assessment procedures in NIST SP 800-171A now align more closely with the requirements in NIST SP 800-171.  Like NIST SP 800-53A, which outlines the procedures for assessing the security of federal systems, NIST SP 800-171A now provides an assessment guideline for each subrequirement of each control.  For example, SP 800-171 control 3.1.5 Least Privilege contains subrequirements (a)-(d) as well as two ODPs.  SP 800-171A now includes specific guidance to assess (a)-(d) as well as each ODP. 

Key Takeaways

Contractors should review the FPD of NIST SP 800-171 Rev. 3 and determine the organizational impact the new proposed controls may have on their IT infrastructure and cybersecurity compliance as the final version will ultimately become a contractual requirement under existing DFARS cybersecurity clauses and the forthcoming Cybersecurity Maturity Model Certification (“CMMC”) program.  While many initial-draft controls were removed, the FPD still includes new requirements.  These requirements include the Supply Chain Risk Management control family, identifying where CUI is located, and who can access CUI within a covered network. Such new requirements are certain to increase the compliance burden on contractors.

The comment period for 171 and 171A drafts is open until January 12, 2024.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Michael’s legal practice covers a wide range of counseling and litigation engagements at the intersection of government contracts and cybersecurity. His government contracts endeavors include supply chain security counseling, contract disputes with federal entities, suspension and debarment proceedings, mandatory disclosures to the government, prime-subcontractor disputes, and False Claims Act investigations. His privacy and cybersecurity practice includes cybersecurity compliance reviews, risk assessments, data breaches, incident response, and regulatory investigations.

Photo of Evan D. Wolff Evan D. Wolff

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical…

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Calling upon his experiences as a scientist, program manager, and lawyer, Evan takes an innovative approach to developing blended legal, technical, and governance mechanisms to prepare companies with rapid and comprehensive responses to rapidly evolving cybersecurity risks and threats. Evan has conducted training and incident simulations, developed response plans, led privileged investigations, and advised on hundreds of data breaches where he works closely with forensic investigators. Evan also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework.

Photo of Maida Oringher Lerner Maida Oringher Lerner

Maida Lerner is senior counsel in Crowell & Moring’s Washington, D.C. office and a part of the firm’s Privacy & Cybersecurity, Government Contracts, and Environment & Natural Resources groups. Maida counsels a broad group of clients in a variety of sectors on cyber…

Maida Lerner is senior counsel in Crowell & Moring’s Washington, D.C. office and a part of the firm’s Privacy & Cybersecurity, Government Contracts, and Environment & Natural Resources groups. Maida counsels a broad group of clients in a variety of sectors on cyber and physical security compliance and risk management, homeland security, and administrative matters, including trade associations and companies in the pipeline, transportation, government contracts, education, health care, and manufacturing sectors.

Photo of Kate Growley Kate Growley

Kate M. Growley (CIPP/US, CIPP/G) is a director with Crowell & Moring International and based in Hong Kong. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients understand, navigate, and shape the policy…

Kate M. Growley (CIPP/US, CIPP/G) is a director with Crowell & Moring International and based in Hong Kong. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients understand, navigate, and shape the policy and regulatory environment for some of the most complex data issues facing multinational companies, including cybersecurity, privacy, and digital transformation. Kate has worked with clients across every major sector, with particular experience in technology, health care, manufacturing, and aerospace and defense. Kate is a Certified Information Privacy Professional (CIPP) in both the U.S. private and government sectors by the International Association of Privacy Professionals (IAPP). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Photo of Nkechi Kanu Nkechi Kanu

Nkechi A. Kanu is a counsel in the Washington, D.C. office of Crowell & Moring, where she is a member of the firm’s Government Contracts Group.

Nkechi’s practice focuses on False Claims Act investigations and litigation. Nkechi has significant experience assisting companies with…

Nkechi A. Kanu is a counsel in the Washington, D.C. office of Crowell & Moring, where she is a member of the firm’s Government Contracts Group.

Nkechi’s practice focuses on False Claims Act investigations and litigation. Nkechi has significant experience assisting companies with complex internal investigations and represents clients in government investigations involving allegations of fraud. She also focuses on assisting clients with investigations relating to cybersecurity and information security compliance. Her complementary litigation practice involves defending companies in government-facing litigation arising under the FCA, resulting in the dismissal of qui tam complaints and successful settlements of FCA claims with DOJ.

Photo of Jacob Harrison Jacob Harrison

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including for cybersecurity compliance reviews, risk assessments, and data breaches.

In his international practice, Jake represents foreign and domestic clients in Foreign Sovereign Immunities Act and Anti-Terrorism Act litigation. He also has experience advising clients involved in cross-border commercial arbitration proceedings.

During law school, Jake served as an associate editor of the Emory Law Journal and interned at the Supreme Court of Georgia and the Georgia House Democratic Caucus. Before attending law school, Jake worked in politics and state government.

Photo of Alexis Ward Alexis Ward

Alexis Ward represents clients in a variety of matters at the intersection of government contracts and cybersecurity utilizing her experience in analytics and data architecture to counsel clients with a practical, real-world lens. As a member of Crowell & Moring’s Privacy and Cybersecurity

Alexis Ward represents clients in a variety of matters at the intersection of government contracts and cybersecurity utilizing her experience in analytics and data architecture to counsel clients with a practical, real-world lens. As a member of Crowell & Moring’s Privacy and Cybersecurity and Government Contracts groups, Alexis has assisted clients in matters including False Claims Act investigations; developing corporate policies, procedures and governance; and in diverse matters involving cybersecurity and data privacy compliance, risk assessment and mitigation, and incident response.

During law school, Alexis founded USC Gould’s Privacy and Cybersecurity Law Society and was on the board of OUTLaw. Alexis also worked as a teaching assistant for the graduate programs’ Information Privacy Law course. Her paper The Oldest Trick in the Facebook: Would the General Data Protection Regulation Have Stopped the Cambridge Analytica Scandal? was published by the Trinity College Law Review.