NIST Releases Final Versions of SP 800-171 Rev. 3 and SP 800-171A Rev. 3

by Mark Berman | CEO, FutureFeed.co

The National Institute of Standards and Technology (NIST) has published the final versions of Special Publications (SP) 800-171 Rev. 3 and 800-171A Rev. 3. These publications are crucial for organizations handling Controlled Unclassified Information (CUI) and provide updated guidelines for assessing and implementing security requirements to protect CUI.

Newly released:

Implications for FutureFeed Users

It is important for DoD contractors to note that the Cybersecurity Maturity Model Certification (“CMMC”) requirements are currently tied to NIST SP 800-171 Rev. 2.However, we expect NIST SP 800-171 Rev. 3 to become the new baseline for CMMC in the next 18-24 months. Contractors who are still early in their CMMC implementation process should be certain that they meet the requirements in Rev. 2 while also looking to Rev. 3 for guidance and futureproofing their programs.

We are excited for the release of Rev. 3, and have already begun ingesting the updated framework and assessment methodology into FutureFeed. We will release a platform update in the near future.

Revision 3 Updates

Below is a summary of some of the more significant changes:

Assessment Procedures

NIST SP 800-171A Rev. 3 introduces refined assessment procedures that are organized into 17 security requirement families. These procedures are designed to ensure comprehensive and consistent assessments across different organizations.

Cryptographic Protection

A notable update is that the explicit FIPS 140-2 validation requirements have been removed from NIST SP 800-171 Rev. 3. Instead, organizations are required to implement cryptography in line with applicable laws, directives, and standards. However, NIST does recommend FIPS-validated cryptography for protecting CUI. This should make complying with cryptography requirements easier for organizations adopting NIST SP 800-171 Rev. 3.

Organization-Defined Parameters (ODPs)

ODPs play a critical role in the flexibility and specificity of security requirements. They allow organizations to tailor security controls based on their unique needs and risk tolerance, ensuring that the security measures are relevant and effective. NIST SP 800-171 Rev. 3 includes several ODPs. It is unclear at this time which (if any) of the ODPs will be defined by DoD and which will be left to the contractor’s discretion. Contractors looking to adopt NIST SP 800-171 Rev. 3 should ensure that their programs are flexible enough to permit changes in any ODPs selected by the contractor in the event DoD releases tighter requirements.

Conclusion

NIST’s release of Special Publications 800-171 Rev. 3 and 800-171A Rev. 3 brings vital updates for protecting Controlled Unclassified Information (CUI). These revisions strengthen the security framework, enhance assessment procedures, and revise the government’s approach to cryptographic protection of CUI.

We are integrating these updates into the FutureFeed platform, with a goal of allowing our clients to seamlessly transition from Rev. 2 to Rev. 3. While current CMMC assessments use 800-171 Rev. 2, adopting Rev. 3 now ensures future compliance and enhanced security.

Authors

Tags