NIST 800-171 - By the Numbers

The highly anticipated NIST 800-171 revision 3 draft was just released. Here are some statistics, a few initial comments, and an analysis based on our cursory draft review.

• 110 – Still, the number of requirements included across the security families
  
  
• 3 – The number of new security families added – Planning, System and Services Acquisition, & Supply Chain Risk Assessment.
  
  
• 4 – The number of practices/requirements that were withdrawn
  
  
• 23 – The number of practices/requirements that were removed but integrated into other practices
  
  
• 27 – The number of new requirements
  
  
• 64 – The number of requirements now “configurable” based on organizationally-defined parameters. 26 of those include more than one parameter to be defined by the organization.

The NIST commentary and notes to reviewers called out details on their approach and intent with this update, and most of the comments aligned with what we expected to see: A focus on better alignment with NIST SP 800-53 moderate baseline, increased specificity, the introduction of the organizationally-defined parameters, removal of outdated or redundant requirements, and recategorization of some controls.

We are pleased to see the addition of Supply Chain Risk Assessment, a practice addressing unsupported (end-of-life) components, clarifying policies, and setting user expectations. These are all risks all organizations face and should address as part of their security program.

As anticipated, we expect a few changes and additions to trigger significant comments and heated debate. First, encryption, specifically the requirement for FIPS-validated cryptography, has been a hot topic among organizations required to implement NIST SP 800-171. We don’t expect the debate to die down anytime soon.

As expected, the new draft updated references to cryptographic standards to include FIPS-validated encryption and NSA-approved cryptography in discussions. Still, the actual practice language does not specify FIPS-validated and allows for the assignment of organizationally-defined types of cryptography. Discussion (3.13.11) does state that cryptography is “implemented in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines.”

An addition that may surprise many is the requirement to have an independent organization assess the organization’s controls. This new requirement is unrelated to CMMC, and if it remains in the final version of Rev 3, it will be a requirement for any organization currently contractually obligated to comply with 800-171.

We expect many other changes and new requirements to generate significant feedback as they require most organizations to change or implement new business processes - especially those involving external organizations, vendors, and contractors.

Stay tuned! As we take time to dig deep into the changes and provide our comments to NIST, we’ll keep you updated. We also encourage organizations with CUI (or any legacy-controlled government information) to review the draft and provide their comments, questions, and feedback to NIST.

Interested parties can find the Revision 3 draft document, change analysis, FAQ, and template for providing comments on the NIST 800-171 Rev 3 site. Public comments are encouraged and open through July 14, 2023.

Contact Guernsey to discuss how these proposed changes could impact your organization and how we can help you implement a security program to reduce your organizational risk while ensuring compliance with regulatory and contractual obligations. Learn more about CMMC.

Author: Laura Fawcett CGEIT, Guernsey Risk and Compliance Consultant
Laura.fawcett@guernsey.us | 405.416.8183