Nist 800-171 Revision 3: Updated Requirements for CUI Protection

NIST published the final version of Special Publication (SP) 800-171. Learn what the changes introduced through NIST 800-171 Revision 3Updated on May 2024.

On May 14, 2024, the National Institute of Standard and Technology (NIST) published the final version of Special Publication (SP) 800-171 Revision 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations and its companion assessment guide, NIST SP 800-171A, Revision 3. NIST SP 800-171 Revision 3 contains security controls intended to help government contractors safeguard Controlled Unclassified Information (CUI) received or generated during contract performance. NIST SP 800-171A is designed to help contractors assess their implementation of 800-171’s controls and describes the assessment procedure for all the compliance requirements. See our NIST SP 800-171 Self-Assessment Guide for more details.

This blog dives deeper into the NIST 800-171 Revision 3 updates. Let’s see what is new in the Revision 3.

What is NIST 800-171

NIST SP 800-171 serves as a foundational set of security requirements for Department of Defence (DoD) contractors to safeguard CUI - unclassified information the United States Government creates or possesses that requires safeguarding or dissemination controls limiting its distribution to those with lawful government purpose (DoD CUI Registry).

NIST requirements apply to non-federal system components that handle, store, or transmit CUI or provide protection for such components. The requirements outlined in NIST SP 800-171 are typically enforced through contractual arrangements or agreements between federal agencies (DoD) and nonfederal organizations (contractors).

Since its introduction in 2016, NIST 800-171 has undergone three revisions. The previous updates did not significantly change the requirements’ content. However, the latest, NIST 800-171 Revision 3, still has several significant changes that aim to impose stringent requirements on all government contractors and associated vendors that handle federal information.

While contractors who handle CUI are not required to implement Revision 3 for now ( as per class deviation to DFARS 252.204-7012), it is expected that the Department of Defense will eventually make it obligatory to follow by incorporating Revision 3 into both DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 7012) as well as the forthcoming Cyber Maturity Model Certification (CMMC) program.

Let’s dive deeper into the NIST 800-171 Revision 3 updates.

NIST 800-171 Revision 3 Control Families

NIST 800-171 evolves around a subset of controls necessary for safeguarding CUI. The previous two Revisions had 14 control families, but the current, Revision 3, expands to 17. The controls are organized as follows (The last three control families with an asterisk (*) have been added with Revision 3):

 
• Access Control
 
• Awareness and Training
 
• Audit and Accountability
 
• Configuration Management
 
• Identification and Authentication
 
• Incident Response
 
• Maintenance
 
• Media Protection
 
• Personnel Security
 
• Physical Protection
 
• Risk Assessment
 
• Security Assessment and Monitoring
 
• System and Communicationrotection
 
• System and Information Integrity
 
• Planning*
 
• System and Service Acquisition*
 
• Supply Chain Risk Management*

The new Planning family addresses developing and maintaining policies, procedures, and rules. It also requires developing and maintaining a system security plan (SSP), which moved here from the Security Assessment and Monitoring family in Revision 2.

The System and Service Acquisition family addresses security and engineering principles, requiring organizations to follow defined engineering requirements for developing and modifying systems and components. It also includes requirements to replace unsupported systems and ensure external system providers comply with identified security requirements.

The Supply Chain Risk Management family includes requirements for managing tools, services, and vendors within the supply chain.

While the number of control families increased by 3 with the latest revision, the number of control requirements dropped by 13 and now comprises 95 requirements. Out of these:

 
• 19 new requirements were added (largely incorporated from NIST 800-53);
 
• 33 requirements were withdrawn (largely consolidated);
 
• 18 requirements unchanged;
 
• 46 requirements with significant changes;
 
• 14 requirements with minor changes.

Section 3 of NIST SP 800-171 Revision 3 describes applicable requirements for each of the NIST 800-171 control families, including numerous subcategories of requirements within each family.

No More Distinction Between Basic and Derived Requirements

NIST 800-171 Revision 3 has eliminated the distinction between basic security requirements (requirements obtained from Federal Information Processing Standards (FIPS) 200) and derived requirements (taken from NIST SP 800-53). Revision 3 requirements were reworked using 800-53 as “the single authoritative source” in an effort to make the requirements clearer and more specific.

More Specific Security Requirements

With Revision 3, NIST 800-171, security requirements have been detailed in response to feedback that previous requirements were too open to interpretation. The new detailed security requirements aim to improve the implementation effectiveness and clarify the assessment’s scope.

For example, the modifier “periodically” was used in contractor requirements throughout SP 800-171, Revision 2 (e.g., Control 3.12.4 requires contractors to “[d]evelop, document, and periodically update system security plans…”). Now, it requires reviewing and updating the system security plan at an organization-defined frequency.

Introduction of Organization-Defined Parameters (ODPs)

NIST 800-171 Revision 3 includes organization-defined parameters (ODPs) for specific security requirements. The ODPs provide federal agencies with flexibility by allowing them to specify values for designated parameters (time period, circumstances, conditions, frequency, functions, and/or roles, etc.) within those security controls for safeguarding controlled unclassified information (CUI). See Appendix D of the NSIT 800-171 for more details.

Reflecting on the recent changes in NIST SP 800-53 and SP 800‑53B

In response to feedback that organizations are overwhelmed by the number of security and risk management frameworks, the updated NIST 800-171 requirements are now better aligned with NIST SP 800-53, rev. 5, and NIST SP 800-53B. To facilitate the harmonization of requirements, NIST has provided a Prototype CUI Overlay, which shows how the moderate control baseline in NIST SP 800-53B can be tailored to align with the NIST SP 800-171 security requirements.

When to Comply with NIST 800-171 Revision 3?

On May 2, 2024, the Department of Defense issued a class deviation to DFARS 252.204-7012 “to provide industry time for a more deliberate transition upon the release of NIST 800-171 Revision 3.” The deviation changes the requirement that contractors must comply with the version of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 that is in effect when the government issues a solicitation. Instead, under the deviation, contractors are specifically directed to comply with NIST SP 800-171, Revision 2 (i.e., the current version) until the deviation is canceled.

To stay updated on recent cybersecurity and compliance-related topics, keep reading our blog. Feel free to contact the Planet 9 team for help with your security and compliance challenges. We’ll be happy to assist!