NIST Special Publication (SP) 800-171 has been updated from Revision 2 to Revision 3 after over a year of data collection, technical analysis, customer interaction, and development. The new version streamlines introductory information modifies security requirements to reflect NIST SP 800-53B moderate baseline and tailoring actions, eliminates the distinction between basic and derived security requirements, increases the specificity of security requirements, introduces organization-defined parameters (ODP), groups security requirements, removes outdated and redundant security requirements, and introduces a new tailoring category. The update also includes a prototype CUI overlay, a revised structure of the References, Acronyms, and Glossary sections, and a revised tailoring table. The transition information can be found on the publication details web page.
How were the security controls in 800-171 Revision 3 developed?
The NIST SP 800-53 security controls in the NIST SP 800-53B moderate baseline are used to satisfy the minimum-security requirements in FIPS 200. Still, they are tailored to eliminate specific controls or parts of controls that are primarily the responsibility of the Federal Government, not directly related to protecting the confidentiality of CUI, or expected to be implemented by nonfederal organizations without specification by the Federal Government.
The NIST SP 800-171 security requirements are a subset of the controls required for a complete information security program. They are grouped into 17 families, each containing requirements related to a specific security topic. Some families from NIST SP 800-53 are not included due to tailoring criteria.
What are ODPs (Organization-defined Parameters)?
Organization-defined parameters (ODP) are included in some requirements to provide additional flexibility for federal organizations. ODPs allow these organizations to specify values for designated parameters as needed, which laws, directives, policies, and other factors can guide. Once specified, these values become part of the requirement, and the assignment and selection operations allow for customization based on organizational protection needs.
NIST 800-171 Revision 3 is grouped into 17 control Families
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment and Monitoring
- System and Communications Protection
- System and Information Integrity
- Planning (New)
- System and Services Acquisition (New)
- Supply Chain Risk Management (New)
Number of Changes to Security Requirements
Type of Change | Change Description | Number |
No significant change | Editorial changes to requirement; no change in outcome. | 18 |
Significant Change | Additional detail in the requirement, including more comprehensive detail on foundational tasks for achieving the outcome of the requirement. | 49 |
Minor Change | Editorial changes. Limited changes in the level of detail and outcome of requirements. | 18 |
New Requirement | Newly added requirement in IPD SP 800-171 Rev 3. | 26 |
Withdrawn Requirement | Requirement withdrawn or migrated to another requirement. | 27 |
New Organization-defined Parameter (ODP) | Note: New ODPs can apply to all change types with the exception of withdrawn requirements. Each requirement includes one or more new ODPs. | 53 |
Total Number of Security Requirements in Draft SP 800-171 Rev 3 |
138 |
Timeline
It is unknown when it will be final, but historically NIST finalizes publications within one year of the public draft. The earliest we anticipate the draft to be final is the end of 2023, as it must go through the public comment process.
Implications to DFARS 7012
DFARS 7012 does not state a revision number as part of the regulation, which means that once NIST 800-171 r3 is final, it will be the required publication to follow to comply with DFARS 7012. Once final, any updated or new control must be added to your POAM for planned remediation.
Implications to CMMC
The DoD has not released a public draft of the CMMC framework, which must be updated to match 800-171 r3 once final. The update of this document will impact the requirements for CMMC certification. The DoD has not stated when this update is expected.
Is it time for Defense Contractors to Freak Out?
For those already working towards compliance with 800-171 Revision 2, no, but it is time for defense contractors not already on the path to compliance with the current revision of NIST 800-171 to start the process urgently. It takes, on average, an organization 12-18 months to fully implement all controls in 800-171 Revision 2, and if they start now, the requirements will only increase midway through as Revision 3 becomes final. The time to start is now, and MAD Security can help.