NIST SP 800-171 Assessment Checklist
If you are preparing for your NIST 800-171 assessment, this checklist will help you organize your thoughts, understand CMMC scoring, and more. Download it for free today.
.jpg?ext=.jpg)
NIST 800-171 Rev. 3: A Debriefing
Cybersecurity has become increasingly relevant in today's world as technology continues to advance. One of the most effective ways of maintaining a high level of cybersecurity in institutions is by adhering to regulatory acts. One such act is the NIST 800-171. Over time, the regulation has undergone revisions to keep up with the dynamic threat landscape. In May of 2023, NIST released rev. 3 for public comment. How does this differ from past iterations?
NIST 800-171 was created in 2015. It was specifically established to increase protection of CUI, or Controlled Unclassified Information. Two years later, at the end of 2017, NIST released revision two. The most significant difference in this revision was that agencies handling CUI had to report their NIST 800-171 compliance in SPRS (Supplier Performance Risk System). The latest revision, released for comment in May 2023, is pending. What differences will your organization need to be aware of in the next year?
Five Significant Changes
How can we help you?
New! NIST 800-171 assessment checklist!
Questions? Download our FAQs to see if your answer is there.
NIST itself highlights five changes that contractors and other organizations should be aware of. They are:
1. Updates to the security requirements and families to reflect updates in NIST SP 800-53, Revision 5 and the NIST SP 800-53B moderate control baseline
2. Updated tailoring criteria
3. Increased specificity for security requirements to remove ambiguity, improve the effectiveness of implementation, and clarify the scope of assessments
4. Introduction of organization-defined parameters (ODP) in selected security requirements to increase flexibility and help organizations better manage risk
5. A prototype CUI overlay
What exactly do these changes mean for your organization? In part that depends on your organization. Three new families of controls will be part of Rev. 3, which will impact planning, system and services acquisition, and supply chain risk management. Agencies should also expect much more robust compliance standards where data security is concerned. Publication author Ron Ross notes, “Many of the newly added requirements specifically address threats to CUI, which recently has been a target of state-level espionage. We want to implement and maintain state-of-the-practice defenses because the threat space is changing constantly.”
NIST 800-171 Revision Three and CMMC
Most of the talk about the newest revisions to NIST 800-171 have paralleled discussion centered around the Cybersecurity Maturity Model Certification, or CMMC Because of the delay in CMMC rulemaking, companies that are certified to NIST 800-171 rev. 2 standards will be able to receive a CMMC letter of conformance until the official release of the CMMC standard. For that reason, among many others, it is advisable to begin work now on NIST 800-171 compliance.
In the cases of both NIST 800-171 Revision Three and CMMC, a third-party assessment, versus a self-assessment, will be mandatory. This will be a big change for many organizations and it is one of the most discussed segments of the CMMC standard. Stay tuned here for more information as these standards continue to evolve.