We have some big news about protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations. The much anticipated initial draft of the National Institute of Standards and Technology (NIST) Special Publication 800-171 Revision 3 was released on May 10, 2023.
In this article, we will discuss the changes that have been implemented, important dates to remember, and the potential effects on small and medium-sized businesses. Our exclusive insights come from Justin Weeks, an industry expert in cybersecurity and compliance.
Table of Contents
NIST SP 800-171 Revision 3
On July 19, 2022, NIST announced its intent to update the CUI series of publications – starting with SP 800-171. This update was necessary because there have been significant changes in cyber threats, capabilities, vulnerabilities, technologies, and resources since the initial publication in June 2015.
Additionally, NIST wanted to enhance the customer experience of safeguarding information through the 800-171 series and actively sought feedback from those who must comply with the requirements to make improvements.
These requirements only apply to components of systems outside of the federal government that handles or safeguards CUI (i.e., organizations that process, store, or transmit CUI). They are intended to be used by federal agencies in contracts or agreements with nonfederal organizations. It is essential to implement these requirements to ensure that the federal government can carry out its missions and functions effectively by providing sufficient protection.
In March 2023, we shared that the update was scheduled to be released in spring 2023, and that day has arrived. Revision 3 is the result of more than a year’s worth of work, bringing together various efforts and developments, including:
- Redesign
- Data collection
- Technical analysis
- Customer interaction
- Security requirement development
NIST painstakingly revised the publication by incorporating public comments and ensuring that the changes aligned with its responsibility to meet several requirements, including:
- CUI federal regulation
- Executive Order (EO) 13556
- Federal Information Security Modernization Act
- Office of Management and Budget (OMB) Circular A-130
Significant Changes from NIST SP 800-171 Revision 2
NIST took great care to ensure that technical and nontechnical requirements were made clear and recognized the specific needs of both federal and nonfederal entities. The public draft highlights five significant updates in the initial public draft:
- Updates to the security requirements and families to reflect updates in NIST SP 800-53, Revision 5, and the NIST SP 800-53B moderate control baseline.
- Updated tailoring criteria.
- Increased the specificity of security requirements to remove ambiguity, improve the effectiveness of implementation, and clarify the scope of assessments.
- Introduced organization-defined parameters (ODP) in selected security requirements to increase flexibility and to help organizations better manage risk.
- Developed a protype CUI overlay.
It’s worth mentioning that there were some removed items in this update, including the distinction between basic and derived security requirements as well as outdated and redundant security requirements.
POA&Ms are now allowed at all maturity levels, but they can only be used for certain non-critical cybersecurity practices. Senior executives of companies that decide to go the self-assessment route are required by the CMMC 2.0 to personally attest to the veracity of the self-assessment, which exposes them to the US Department of Justice (DoJ).
NIST 800-171 Resources
- Check out the NIST 800-171 update spreadsheet to dive deeper into the changes between Revision 2 and Revision 3.
- Review NIST’s FAQ sheet to learn more about why each of the significant changes were made.
Structure of Security Requirements
The draft focuses on making the CUI series more consistent, improving its usability and implementation in organizations. The control sections are organized by requirement, followed by a discussion section that provides additional insight and any applicable references.
Direct SP 800-171r3 Security Requirement Example
3.1.2 Access Enforcement
Enforce approved authorizations for logical access to CUI and system resources in accordance with applicable access control policies.
DISCUSSION
Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. Types of system access include remote access and access to systems that communicate through external networks, such as the internet. Access enforcement mechanisms can also be employed at the application and service level to provide increased protection for CUI. This recognizes that the system can host many applications and services in support of mission and business functions.
REFERENCES
Supporting Publications: SP 800-46 [15], SP 800-57-1 [16], SP 800-57-2 [17], SP 800-57-3 [18], 177 SP 800-77 [19], SP 800-113 [20], SP 800-114 [21], SP 800-121 [22], SP 800-162 [23], SP 800-178 178 [24], SP 800-192 [25], IR 7874 [26], IR 7966 [27]
Impact on Small Businesses
Small businesses often struggle with limited funds to meet security and compliance regulations. Unfortunately, small to mid-sized organizations that handle CUI and looking to reduce costs through exemptions in NIST 800-171 Revision 3 will not find any.
Revision 3 emphasizes that nonfederal organizations handling CUI must comply with NIST standards and guidelines to ensure the information is safeguarded. It clarifies that the responsibility to protect CUI remains with federal agencies even when shared with nonfederal organizations, necessitating a similar level of protection. However, when they are properly implemented through an external service provider, small businesses can better manage the cost.
Here’s Justin Weeks had to say about the update:
Insights from Compliance Expert Justin Weeks
“Overall, NIST SP 800-171r3 (Initial Public Draft) has made some very pleasing improvements. Beyond the topical changes in the number of controls (they’re all still there, just in a different way), there’s been a number of clarifications and inclusions.
Two notable items (there were many) include an apparent potential softening of the Federal Information Processing Standards (FIPS) validated encryption requirement and a doubling down on the requirements of Security Protection Assets needing to comply with the standard. Specifically, if they “provide protection for such components” of nonfederal systems that process, store, or transmit CUI.
Based on this, it seems less likely that we will see a softening of the language in the CyberAB CMMC Assessment Process (CAP) regarding those providing services (external service providers) requiring the need to be CMMC Certified. At the very least, they will need to meet the NIST 800-171 requirements, regardless of what the CAP says, if the standard keeps the language.
Regarding the FIPS-validated encryption requirements, it is nice to see that there may be a softening of the requirements here. The language could be clearer as it can be read in multiple ways. I respect the challenges NIST is having with the language here. Too often, we hear complaints about the requirement, but what is not widely discussed is the ramifications of not having it at all.
It’s quite evident that this requirement can’t be entirely dropped. Although there’s very good encryption and associated products that are not FIPS validated (here’s to you Wireguard!), the removal of the requirement would introduce the very real risk of having data encrypted with very weak encryption (like Caesar Cipher) or not encrypted at all due to lack of testing and validation of the implementation!
Finally, the 3.4.8 Authorized Software section has a big change from the previous allotment of an application blacklisting or whitelisting solution, to now exclusively requiring application whitelisting.”