NIST Releases Final Version of NIST SP 800-171, Revision 3

On May 14, 2024, the National Institute of Standard and Technology (NIST) published the final versions of Special Publication (SP) 800-171 Revision 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations and its companion assessment guide, NIST SP 800-171A, Revision 3 (collectively, “Rev. 3 Final Version”).  While the Department of Defense (DoD) is not requiring contractors who handle Controlled Unclassified Information (CUI) to implement Rev. 3 for now, it is expected that DoD will eventually incorporate Rev. 3 into both DFARS 252.204-7012,  Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 7012) as well as the forthcoming Cyber Maturity Model Certification (CMMC) program. 

For late-breaking impressions of Rev. 3 and its impact to contractors, join Crowell's webinar on Wednesday, May 15, 2024 at 1:00 PM EDT featuring Crowell attorneys Evan Wolff and Michael Gruden in a robust discussion with one of the key architects of Rev. 3, NIST’s own Senior Computer Scientist, Victoria Pillitteri.

Background

NIST SP 800-171 contains security controls that are intended to help government contractors safeguard CUI received or generated in the course of contract performance, while NIST SP 800-171A is intended to help contractors assess their implementation of 800-171’s controls.  NIST has been working on the Rev. 3 update to 800-171 for over a year, and has released two prior versions of Rev. 3 for public comment: an Initial Public Draft in May 2023 and a Final Public Draft November 2023.

Notable Changes in the Final Version of Rev. 3

• Some ODPs return. In the Rev. 3 Initial Public draft, NIST introduced “organization-defined parameters,” which were intended to increase flexibility by allowing individual agencies to specify values for designated parameters within security controls.  However, in the Final Public Draft NIST reduced the number of ODPs to 34, seemingly in response to industry concerns that the ODPs could cause contractors to be subject to conflicting obligations.  But in the final version of Rev. 3 released today, NIST has brought back 15 ODPs, settling on a total of 49 ODPs.  For ease of access, ODPs are listed in Appendix D to Revision 3.
• “Periodically” is gone. The modifier “periodically” was used in contractor requirements throughout SP 800-171, Rev.2 (e.g., Control 3.12.4 required contractors to “[d]evelop, document, and periodically update system security plans…”).  NIST has categorically removed “periodically” from the Rev. 3 Final Version control requirements to reduce ambiguity.
• New control families, but fewer total controls. Three new security requirement families, made up of nine new controls in total, have been added in Rev. 3 to maintain consistency with the SP 800-53B moderate control baseline: Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR). However, the total number of controls has dropped from 110 in Rev. 2 to 97 in the Rev. 3 Final Version, as many Rev. 2 controls have been withdrawn and/or subsumed into other controls.
• No more “basic” vs. “derived” requirements. 3 also does away with the distinction drawn in Rev. 2 between “basic security requirements” (i.e. requirements obtained from Federal Information Processing Standards (FIPS) 200) and “derived” requirements (taken from NIST SP 800-53).  Instead, Rev. 3 requirements were reworked using 800-53 as “the single authoritative source” in an effort to make the requirements clearer and more specific.