Photo of Evan D. WolffPhoto of Michael G. Gruden, CIPP/GPhoto of Maida Oringher LernerPhoto of Jacob Harrison

On May 14, 2024, the National Institute of Standard and Technology (NIST) published the final versions of Special Publication (SP) 800-171 Revision 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations and its companion assessment guide, NIST SP 800-171A, Revision 3 (collectively, “Rev. 3 Final Version”).  While the Department of Defense (DoD) is not requiring contractors who handle Controlled Unclassified Information (CUI) to implement Rev. 3 for now, it is expected that DoD will eventually incorporate Rev. 3 into both DFARS 252.204-7012,  Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 7012) as well as the forthcoming Cyber Maturity Model Certification (CMMC) program. 

For late-breaking impressions of Rev. 3 and its impact to contractors, join Crowell’s webinar on Wednesday, May 15, 2024 at 1:00 PM EDT featuring Crowell attorneys Evan Wolff and Michael Gruden in a robust discussion with one of the key architects of Rev. 3, NIST’s own Senior Computer Scientist, Victoria Pillitteri.

Background

NIST SP 800-171 contains security controls that are intended to help government contractors safeguard CUI received or generated in the course of contract performance, while NIST SP 800-171A is intended to help contractors assess their implementation of 800-171’s controls.  NIST has been working on the Rev. 3 update to 800-171 for over a year, and has released two prior versions of Rev. 3 for public comment: an Initial Public Draft in May 2023 and a Final Public Draft November 2023.

Notable Changes in the Final Version of Rev. 3

  • Some ODPs return. In the Rev. 3 Initial Public draft, NIST introduced “organization-defined parameters,” which were intended to increase flexibility by allowing individual agencies to specify values for designated parameters within security controls.  However, in the Final Public Draft NIST reduced the number of ODPs to 34, seemingly in response to industry concerns that the ODPs could cause contractors to be subject to conflicting obligations.  But in the final version of Rev. 3 released today, NIST has brought back 15 ODPs, settling on a total of 49 ODPs.  For ease of access, ODPs are listed in Appendix D to Revision 3.
  • “Periodically” is gone. The modifier “periodically” was used in contractor requirements throughout SP 800-171, Rev.2 (e.g., Control 3.12.4 required contractors to “[d]evelop, document, and periodically update system security plans…”).  NIST has categorically removed “periodically” from the Rev. 3 Final Version control requirements to reduce ambiguity.
  • New control families, but fewer total controls. Three new security requirement families, made up of nine new controls in total, have been added in Rev. 3 to maintain consistency with the SP 800-53B moderate control baseline: Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR). However, the total number of controls has dropped from 110 in Rev. 2 to 97 in the Rev. 3 Final Version, as many Rev. 2 controls have been withdrawn and/or subsumed into other controls.
  • No more “basic” vs. “derived” requirements. 3 also does away with the distinction drawn in Rev. 2 between “basic security requirements” (i.e. requirements obtained from Federal Information Processing Standards (FIPS) 200) and “derived” requirements (taken from NIST SP 800-53).  Instead, Rev. 3 requirements were reworked using 800-53 as “the single authoritative source” in an effort to make the requirements clearer and more specific.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Evan D. Wolff Evan D. Wolff

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical…

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Calling upon his experiences as a scientist, program manager, and lawyer, Evan takes an innovative approach to developing blended legal, technical, and governance mechanisms to prepare companies with rapid and comprehensive responses to rapidly evolving cybersecurity risks and threats. Evan has conducted training and incident simulations, developed response plans, led privileged investigations, and advised on hundreds of data breaches where he works closely with forensic investigators. Evan also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework.

Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Michael’s legal practice covers a wide range of counseling and litigation engagements at the intersection of government contracts and cybersecurity. His government contracts endeavors include supply chain security counseling, contract disputes with federal entities, suspension and debarment proceedings, mandatory disclosures to the government, prime-subcontractor disputes, and False Claims Act investigations. His privacy and cybersecurity practice includes cybersecurity compliance reviews, risk assessments, data breaches, incident response, and regulatory investigations.

Photo of Maida Oringher Lerner Maida Oringher Lerner

Maida Lerner is senior counsel in Crowell & Moring’s Washington, D.C. office and a part of the firm’s Privacy & Cybersecurity, Government Contracts, and Environment & Natural Resources groups. Maida counsels a broad group of clients in a variety of sectors on cyber…

Maida Lerner is senior counsel in Crowell & Moring’s Washington, D.C. office and a part of the firm’s Privacy & Cybersecurity, Government Contracts, and Environment & Natural Resources groups. Maida counsels a broad group of clients in a variety of sectors on cyber and physical security compliance and risk management, homeland security, and administrative matters, including trade associations and companies in the pipeline, transportation, government contracts, education, health care, and manufacturing sectors.

Photo of Jacob Harrison Jacob Harrison

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including

Jacob Harrison helps his clients navigate both domestic and international legal challenges.

Jake advises U.S. government contractors on internal investigations and state and federal regulatory compliance. His compliance practice focuses on counseling clients operating at the intersection of government contracts and cybersecurity, including for cybersecurity compliance reviews, risk assessments, and data breaches.

In his international practice, Jake represents foreign and domestic clients in Foreign Sovereign Immunities Act and Anti-Terrorism Act litigation. He also has experience advising clients involved in cross-border commercial arbitration proceedings.

During law school, Jake served as an associate editor of the Emory Law Journal and interned at the Supreme Court of Georgia and the Georgia House Democratic Caucus. Before attending law school, Jake worked in politics and state government.