On November 9, 2023, the National Institute of Standards and Technology (“NIST”) released the Final Public Draft (“FPD”) of Special Publication (“SP”) 800-171 Revision (“Rev.”) 3, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” and the Initial Public Draft of NIST SP 800-171A Rev 3, “Assessing Security Requirements for Controlled Unclassified Information.” The FPD of SP 800-171 Rev. 3 condenses several control requirements from the initial public draft while adding new requirements under existing controls. The initial draft of SP 800-171A now aligns with SP 800-171 Rev. 3 and includes more detailed assessment procedures than its predecessor. Changes in both documents forecast the evolving compliance requirements for organizations required to safeguard Controlled Unclassified Information (“CUI”).
Key Changes Between Initial and Final Published Drafts of NIST SP 800-17 Rev. 3
The FPD of NIST SP 800-171 Rev. 3 implements the following notable changes from the initial public draft.
Removal of Controls
NIST removed the following controls in the FPD that were introduced in the initial draft: 3.1.23 Account Management – Inactivity Logout, 3.9.3 External Personnel Security, 3.11.4 Risk Response, 3.12.5 Independent Assessment, 3.12.7 Internal System Connections, 3.13.17 Internal Network Communications Traffic, 3.13.18 System Access Points, and 3.17.4 Component Disposal. NIST also withdrew three existing security controls: 3.4.9 User-Installed Software, 3.13.3 Separation of System and User Functionality, and 3.13.7 Split Tunneling, determining that these were addressed by other controls.
Combining of Controls
NIST incorporated the requirements from the following security controls into existing controls in the FPD: 1.23 Account Management – Inactivity Logout incorporated into 3.1.20 Use of External Systems, 3.2.3 Advanced Literacy Training incorporated into 3.2.1 Literacy Training and Awareness, and 3.3.9 Audit Information Access incorporated into 3.3.8 Protection of Audit Information.
NIST revised a handful of controls in the FPD, including:
- 12.1 Control Assessments changed to 3.12.1 Security Assessments, which changed the focus of the requirement from ensuring security controls are in place to ensuring adequate security.
- 14.18 Spam Protection changed to 3.14.8 Information Management and Retention, which essentially withdrew the Spam Protection control and instead now requires CUI to be handled in accordance with other laws, executive orders, regulations, and guidelines.
- 16.1 Security Engineer Principles changed to 3.16.1 Acquisition Process and now requires organizations to define security requirements they will include in any acquisition contract for a system, system component, or system service.
The FPD removes many organization-defined parameters (“ODPs”) included in the initial draft. ODPs are undefined requirements that individual agencies can customize by specifying values for the designated parameters. The FPD replaces ODPs with more general descriptions or terms. For example, many controls that required an action or activities to occur within a defined time period now require them to occur “periodically.” Similarly, the FPD replaced control language that previously required the organization to define a specific person or role within the company, with generic terms such as “organizational personnel or roles.” See Control 3.1.1 (g) Account Management.
Additional Requirements Under Controls
Changes to certain controls now require additional action from organizations. For example, under 3.5.7 Password Management, organizations must now maintain a list of commonly-used or compromised passwords and verify that those passwords are not used whenever users create or update passwords. Other new requirements include checking media containing diagnostic and test programs for malicious code, documenting interface characteristics, security requirements, and responsibilities for each system exchanging CUI, including additional components within the System Security Plan (“SSP”), and protecting the SSP and Supply Chain Risk Management Plan from unauthorized disclosure.
Highlights of 171A Revision 3 Draft
NIST SP 800-171A provides organizations with the assessment procedures and methodology to conduct assessments of the security controls outlined in NIST SP 800-171. The procedures are used to conduct self-assessments, independent third-party assessments, and government assessments.
While the initial draft is only the second iteration of NIST SP 800-171A, this version will be called Rev. 3 to align with the SP 800-171 revision. NIST made several key changes to 171A, such as aligning procedures with NIST SP 800-53A formatting and including ODP assessments.
The assessment procedures in NIST SP 800-171A now align more closely with the requirements in NIST SP 800-171. Like NIST SP 800-53A, which outlines the procedures for assessing the security of federal systems, NIST SP 800-171A now provides an assessment guideline for each subrequirement of each control. For example, SP 800-171 control 3.1.5 Least Privilege contains subrequirements (a)-(d) as well as two ODPs. SP 800-171A now includes specific guidance to assess (a)-(d) as well as each ODP.
Contractors should review the FPD of NIST SP 800-171 Rev. 3 and determine the organizational impact the new proposed controls may have on their IT infrastructure and cybersecurity compliance as the final version will ultimately become a contractual requirement under existing DFARS cybersecurity clauses and the forthcoming Cybersecurity Maturity Model Certification (“CMMC”) program. While many initial-draft controls were removed, the FPD still includes new requirements. These requirements include the Supply Chain Risk Management control family, identifying where CUI is located, and who can access CUI within a covered network. Such new requirements are certain to increase the compliance burden on contractors.
The comment period for 171 and 171A drafts is open until January 12, 2024.