NIST SP 800-171 Revision 3 Finalized: A Whisper in the Roar of CMMC 

Although overshadowed by the larger, admittedly more consequential swings in the world of CMMC, NIST 800-171 – the source of CUI protection requirements – has made an incremental step forward with the finalization of Revision 3. The revision was released in May of 2024, but went unnoticed by many focused on the bigger prize of CMMC. 

Although CMMC has unambiguously committed to Revision 2 for the launch and early days of the program, no one in the ecosystem believes that Revision 2 is sufficient to handle the ongoing needs of the DIB (Defense Industrial Base) to protect itself from malicious foreign actors. While the Cyber AB, the steward of the CMMC program, has indicated that it will take up to 18 months to retool the program to run under a new revision of NIST 800-171, organizations that have achieved Level 2 certification should begin to examine the new requirements that may be in play when their recertification comes due in 3 years. 

NIST SP 800-171: What is it, and what’s new? 

If you read our article on the initial public draft over a year ago, you’re in luck! The broad strokes of the revision remain the same: alignment with NIST SP 800-53 and improvement of the useability of the framework. If you’re familiar with previous versions of NIST SP 800-171, you can skip down to the Specific Control Changes section below. For all others, let me provide some background information. 

Background of NIST 

In June 2015, the National Institute of Standards and Technology (NIST) released Special Publication (SP) 800-171: Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations, to provide minimum security baselines for inclusion in contracts or other agreements between federal agencies and organizations that would handle CUI on their behalf. CUI is a broad category of information that includes personally identifiable information, proprietary business information, unclassified technical information, and sensitive law enforcement data.  

NIST 800-171 may be more recognizable as the baseline for the Defense Federal Acquisition Regulation Supplement (DFARS) and Cybersecurity Maturity Model Certification (CMMC). As of its last revision in February 2020, NIST 800-171 had 110 control requirements spread across 14 controls families that corresponded to the families in NIST SP 800-53 Rev. 4, which covers security controls for federal systems. In 2022, due to the constantly evolving landscape of cybersecurity and interest in soliciting usability feedback from adopting organizations, NIST determined that an update to the framework was necessary. 3 rounds of public comments and nearly 2 years later, NIST SP 800-171 Revision 3 has been finalized. 

What to Expect from Revision 3 

The primary difference with the newest Revision is an expansion in scope of 8 new controls to cover the additional control families of Planning, System and Services Acquisition, and Supply Chain Risk Management, along with 11 single control additions spread across the original 14 families. This change aligns NIST SP 800-171 with the NIST SP 800-53 revision 5 moderate baseline, which will now serve as its single authoritative source. Despite this expansion, there is a net decrease in controls from 110 to 97 (109 in the initial public draft), primarily due to the consolidation of existing controls. The other principal change is a dramatically increased level of detail in control descriptions, which helps to align organizations, assessors, and frameworks. 

Alignment with NIST 800-53 

The primary reasons for releasing this updated NIST 800-171 version were to enhance its usability and clarity. This was achieved by aligning NIST 800-171 with the NIST 800-53 revision 5 moderate baseline and removing references to FIPS 200.  

This decision makes framework knowledge and resources more transferable and was informed by public comments that the differences between public and private security and risk management frameworks were overwhelming. This refocusing also eliminates the distinction between basic and derived security requirements, provides control titles, and adds additional detail to each control. These changes improve the clarity of the framework and ensure that organizations and assessors are aligned in their interpretations of the controls.  

A critical new detail is the use of organization-defined parameters (ODPs) that allow organizations and their federal partners the flexibility to assess and manage their risk. These ODPs range from specific time frames before a network connection is terminated, to general parameters, such as the accounts allowed in an information system. They should all be clearly defined in a mature program and enable federal agencies enforcing NIST SP 800-171 to tailor minimum requirements for organizations they engage with, similar to how FedRAMP does. 

Specific Control Changes 

These overarching changes are accompanied by additional individual controls that expand the requirements. The most significant differences are the new families: Planning, System and Services Acquisition, and Supply Chain Risk Management.  

The Planning family calls for specific Rules of Behavior documentation surrounding CUI and formal policy describing the development and review of the system security plan (SSP).  

The System and Services Acquisition and Supply Chain Risk Management families overlap and introduce requirements for programs that assess and manage external suppliers and service providers.  

Notably, only six controls were removed: Voice over Internet Protocol (VoIP), password generations, automatic disabling of inactive identifiers, temporary password use, system architecture, and the maintenance of organizational systems. All other controls were incorporated into remaining requirements, so even though the formal control count has decreased by 13, make no mistake, there is a considerable increase in the control coverage of NIST SP 800-171. 

NIST SP 800-171 Next Steps 

If you are interested in NIST SP 800-171, you are most likely a member of the CMMC ecosystem. This means that the lion’s share of your focus has been on the official launch of CMMC and the anticipated inclusion of certification requirements beginning in 2025.  

For the moment, revision 3 requirements are years out, making it tempting to delay a close analysis of the new requirements. Yet not so long ago, CMMC also seemed a long way out.  

Organizations that have achieved CMMC Level 2 Certification should begin to position themselves for the inevitable transition to revision 3, particularly the entirely new requirements around supply chain and vendor management.  

Wherever you are on your CMMC journey, Tevora can help. As a Registered Practitioner Organization (RPO) with an A2LA-certified NIST SP 800-171 assessment program, Tevora is qualified and experienced in helping organizations achieve their compliance goals. As a candidate C3PAO, Tevora will soon be qualified to deliver certified assessments, and achieving this landmark will keep you qualified for all DoD contracts for years to come. 

The final publication is accompanied by a change analysis spreadsheet and FAQ that can provide further details. 

We Can Help 

If you have questions or would like help bringing your organization into compliance, just give us a call at (833) 292-1609 or email us at sales@tevora.com.