Don't Panic! NIST SP 800-171r3 and FutureFeed
NIST released an initial public draft of NIST SP 800-171 r3 ("r3") on May 10, 2023. This blog post discusses that draft and our plans for incorporating r3 into FutureFeed.
NIST 800-171 Discussion Draft
Last year NIST announced that they would be updating 800-171, and asked for public feedback. They used that feedback, as well as feedback from other federal agencies and other stakeholders, to create the discussion draft that was released yesterday.
The changes in revision 3 are substantial. They simultaneously made the requirements easier to understand and implement while also preserving, and even adding, flexibility that allows contractor organizations to make risk-based decisions about their own environments and the data managed in those environments. Overall, we are very excited for revision 3 to be published, and we think it will make compliance more straightforward for contractors.
NIST's Implementation Timeline
NIST is leaving open the public comment period until July 14, 2023. At that time, they expect to "adjudicate" (i.e., review and create responses to) the comments they receive. They expect that process to take a few months, and to publish an updated, but still draft, version of r3 late this year.
The goal is for that second public discussion draft to be fairly close to final, with only minor wordsmithing, layout, or other changes needed. That second public discussion draft will again be open for public comments for some period of time (likely a month or two), after which NIST will adjudicate any additional comments. The end result is that the official release of NIST SP 800-171 r3 will likely not happen until sometime in early calendar year 2024.
NIST does not expect to release an updated version of 800-171A until after 800-171 r3 is finalized. More than likely, the CMMC assessment requirements will not be updated until after the updated version of NIST SP 800-171A is released.
Don't Panic! - Preparing for r3
In the short term, while it makes sense for FutureFeed clients to review the changes in r3, clients are best off continuing to focus on the requirements in r2 (the current version) for at least the next 6 months.
We recommend this approach for at least two reasons:
- The r3 requirements may change as a result of these next rounds of public comments, thus it simply makes more sense to wait for r3 to be finalized (or at least closer to final) before shifting gears; and
- many of our clients are preparing for CMMC assessments.
On that latter note, in all likelihood, any changes to the CMMC assessment requirements will have to wait for:
- finalization of NIST SP 800-171 r3,
- finalization of NIST SP 800-171A r3,
- updates to the CMMC requirements,
- updates to the CMMC assessor training, AND
- retraining of at least some of the assessors.
Even if some of that work is done in parallel, the entire process will likely take at least a year, and more than likely 18-24 months. Thus, it simply makes more sense to continue on the current path toward compliance with NIST SP 800-171 r2.
All that being said, this is a great test of the CMMC program. As past history has shown, NIST will continue to make updates to 800-171 periodically, and the CMMC program, including all of the contractors who are compliant (or are pursuing CMMC compliance), needs to be mature enough to handle those changes without requiring wholesale changes to CMMC.
Incorporating NIST SP 800-171 r3 into FutureFeed
We've been studying the changes in the discussion draft so we can better understand how they might impact future versions of FutureFeed. So far, from a structural perspective, the changes seem to be in line with what we expected. So, while we will have to change the UI/UX to support r3, the changes are already in our development roadmap and we expect to be able to make support for r3 available in the platform within a few weeks of its final release.
We hope to be able to make the migration from r2 to r3 as painless as possible for our users, including (where possible) mapping of r2's evidence and other information to the r3 requirements.
Our plan is for the Big Picture and Technology subway stops to remain essentially as they are (though we may add a few additional fields to the Big Picture if you buy/add certain frameworks). These are the places where users collect and organize the compliance information/evidence they use across all frameworks. The Assess and SSP subway stops (and the main dashboard) are where users will see the biggest changes, because the information presented will focus on the selected framework. The Your FutureFeed subway stop will likely remain largely the same (albeit with the ability to filter the POA&Ms by framework).
As for how users will navigate to different frameworks, including r3, 800-53, CIS, and other frameworks that we'll be adding over the remaining months of this year, we expect it to be similar to what you do today when switching between NIST SP 800-171 and CMMC. You can switch from framework to framework by clicking the framework selector in the toolbar, as illustrated in the screen capture below.