NIST SP 800-171r3 Final Public Draft Released

by Rachel Leidy | Director of Compliance Education, CCA, CCP, CISSP

The National Institute of Standards and Technology (“NIST”) released two updated DRAFT documents today that are critical to FutureFeed users and the broader CMMC ecosystem.

The first, NIST SP 800-171r3, was released as a “Final Public Draft”. As a Final Public Draft, the document is expected to largely remain unchanged, except for minor typographical or other changes, when the document is formally released. Public comment on the draft is open until January 12, 2024, and NIST expects to release the official version of NIST SP 800-171r3 sometime toward the end of Q1 2024 or in early Q2.

The second document, NIST SP 800-171Ar3, the Assessment Guide for NIST SP 800-171Ar3. This document was released as an “Initial Public Draft”. Public comments on this document are also due January 12, 2024.

Typically, when NIST releases new documents, they go through the Initial Public Draft –> Final Public Draft –> Official Document process. However, NIST previously indicated that the official versions of both NIST SP 800-171r3 and 800-171Ar3 are expected to be released at the same time.

Changes for Contractors

Complexity and Clarity

At first glance, when you contrast NIST SP 800-171r3 to the current version, there are significant changes. However, it appears that NIST has merged many of the “objectives” that had been previously “hidden” in NIST SP 800-171Ar2 into the main document. They have also added some clarity around the certain objectives. This will make it much easier for contractors who are new to CMMC and NIST SP 800-171, because the requirements will be in one place and more clearly defined.

NIST SP 800-171Ar3 still includes objectives, but these have been tailored to focus on the assessment process, as opposed to introducing new requirements. Again, this should make things easier for both contractors and those assessing the contractors.

While the NIST SP 800-171r3 requirements are, at least at first glance, more complex, most of them are actually things that contractors were already doing if they’ve previously adopted NIST SP 800-171r2. NIST simply spelled things out in more detail. So, the transition from r2 to r3 for those who have implemented the existing requirements should not, in many cases, require a significant overhaul of a contractor’s existing cybersecurity program.

Additional Requirements and Objectives

In addition to the high-level organizational changes, NIST SP 800-171r3 also introduces several new requirements. We will have more details on those requirements in future blog posts.

Impact on JSVAs and CMMC

The impact of NIST SP 800-171r3 and 800-171Ar3 on JSVAs and CMMC is still to be determined. We do not expect the Joint Surveillance Voluntary Assessments to begin assessing contractors against NIST SP 800-171r3 until after that document is officially released and DIBCAC has time to review it and update their internal procedures and train their staff. This will likely take at least 3-6 months from the release of the official version of NIST SP 800-171r3.

As for CMMC, we expect CMMC certifications to begin sometime in 2024. However, the changes to NIST SP 800-171A may mean that some aspects of Certified CMMC Professional and Certified CMMC Assessor trainings may need to be updated. This means, as a practical matter, that it is unlikely that CMMC assessments will require companies to meet the NIST SP 800-171r3 requirements until at least the middle of 2024, and more likely not until sometime in 2025 at the earliest.

Impact on FutureFeed

From a user experience standpoint, NIST SP 800-171r3 will require some significant changes to the FutureFeed experience that you’ve come to know and love. For example, although the idea of “defining” and “identifying” things has existed in NIST SP 800-171r2, the introduction of more explicitly-referenced Organizationally Defined Parameters will require us to change certain aspects of the user interface.

We have already started on the update process to support NIST SP 800-171r3, and we expect to have it available in the platform shortly after the official version is released at the end of Q1/beginning of Q2 2024. It will be available as a no-cost update for those who subscribe to the DoD Contractor Bundle.

Please join us at CIC2024 to learn more about NIST SP 800-171 and CMMC. Please also join us for our upcoming user and partner webinars to learn more about how FutureFeed will change to help you address NIST SP 800-171r3 and to see previews of these changes.

November 11th, 2023

Authors

Tags