The National Institute of Standards and Technology (NIST) released the third revision of its Special Publication (SP) 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations." This publication forms the basis of cybersecurity standards that contractors must meet when handling Controlled Unclassified Information (CUI) for the U.S. Department of Defense (DOD) and for the U.S. Department of Homeland Security's (DHS) new Cybersecurity Readiness Factor. Further, DOD's forthcoming Cybersecurity Maturity Model Certification (CMMC) program keys NIST SP 800-171 to achieve Level 2 certifications (though it is expected that CMMC will initially use the previous revision of SP 800-171 in the CMMC program).
Also released is the second version (but also called Revision 3) of NIST SP 800-171A titled "Assessing Security Requirements for Controlled Unclassified Information." As described by NIST, this companion publication provides organizations with "assessment procedures and methodologies" when assessing whether NIST SP 800-171 controls have been met. This document was last updated in 2018.
Key Changes
There are some important changes between the previous revision (Revision 2) and the current Revision (Revision 3) that contractors should understand:
- The introduction of organization-defined parameters (ODP). These new parameters will give contractors flexibility to tailor controls to their systems. For example, 03.01.01, Account Management, allows systems owners to define the time period when users are terminated or transferred.
- While the number of controls has decreased (from 110 to 97), many of the previous controls have been folded into other similar controls and actual requirements have instead increased.
- Further tying cybersecurity compliance to supply chain compliance, NIST SP 800-171 introduced a new Supply Chain Risk Management (SCRM) control family (borrowed from NIST SP 800-53). This family contains three controls, including requiring a Supply Chain Risk Management Plan (03.17.01), Acquisition Strategies, Tools, and Methods (03.17.02) and Supply Chain Requirements and Processes (03.17.03). Taken together, contractors will need to ensure supply chain security as part of meeting all of the controls in NIST SP 800-171.
There is also a direct cross-walk from NIST SP 800-53 Revision 5 (related to the protection of federal information systems) to NIST SP 800-171 Revision 3 (related to the protection of federal information on contractor systems) known as "Tailoring Criteria." Each NIST SP 800-53 control is mapped to a NIST SP 800-171 control. Where no NIST SP 800-171 control is mapped, NIST states whether it is: 1) not related to the protection of CUI, 2) is the responsibility of the federal government, 3) the control is sufficiently covered by another control, or 4) is inapplicable.
In a previous draft revision, independent assessments would have been required as one of the controls. NIST has eliminated that control in this final revision as "not directly related" to protecting CUI.
Takeaways and Next Steps
The release of this new standard will impact the government contracting space for years to come. Even so, immediate action is not required. Just recently, DOD issued a class deviation impacting Defense Federal Acquisition Regulatory Supplement (DFARS) Section 252.204-7012 that will give contractors a runway to adopt Revision 3 (previously, the effect would have been immediate). In addition, the draft CMMC rule set Revision 2 as the standard. Despite that, there is a forthcoming FAR rule that will require the adoption of NIST SP 800-171 government-wide and it is unclear which revision will be utilized in that rule. And DOD's class deviation can be rescinded at any time. Given that, it is wise for contractors to begin preparing for the implementation of this new version now.
Holland & Knight's Government Contracts Group will provide more insight and guidance as we continue to review these documents.
