NIST is updating the series of special publications (SPs) dedicated to the protection of controlled unclassified information (CUI) on nonfederal systems. The first update is to NIST SP 800-171. The latest version of NIST 800-171 is revision 2, and this update would result in revision 3.
Pre-Draft Call for Comments
On November 1st, 2023, NIST released their analysis of the more than 60 individuals and organizations who submitted comments. The chart below is from the document, and shows the sectors and sizes of the commenting entities:
There were a few items in their analysis that are worth highlighting:
The most commented on security requirement was 3.13.11, “Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.” NIST will research and propose options in the forthcoming draft on how best to address feedback on the specific CUI security requirements to balance stakeholder concerns with appropriate countermeasures to protect the confidentiality of CUI.
It is interesting that they would consider offering leniency on the FIPS 140-2/3 requirement for cryptographic modules. NIST operates a program called the Cryptographic Module Validation Program (CVMP) which validates that cryptographic modules operate in accordance with the FIPS 140-2/3 standard. NIST has previously stated that they view crypto modules that are not FIPS-validated as offering no protection at all.
Commenters supported the inclusion of the NFO controls that are currently tailored out. This would result in a more comprehensive set of security requirements in a single source and provide needed foundational context and guidance for the CUI requirements
NIST tailored out 60 security controls and placed them in appendix E of NIST 800-171 r2. NIST refers to this appendix as nonfederal organization (NFO) controls. NIST believes that these controls are so obvious that all complete security program should include them.
Many believe that the appendix is not reviewed by organizations, and therefore many of these NFO the controls are not accounted for. If NIST tailors in the NFO controls, or at least a subset of them, this could drastically increase the number of NIST 800-171’s security controls from the current set of 110 requirements.
NIST wraps up the analysis document by saying that an initial public draft of NIST 800-171 r3 is planned for late Spring 2023. Additionally, they state that the following updates are planned for the forthcoming draft:
- Update the security requirements for consistency and alignment with SP 800-53, Revision 5
(including inclusive language updates), and the SP 800-53B moderate-impact baseline
- Develop a CUI overlay (Supplementary Appendix to the existing security requirement catalog) to better link the CUI security requirements to the SP 800-53 controls for stakeholder feedback
- Consider and propose options on how best to address stakeholder feedback on the NFO control tailoring
February 2023 Status Update from NIST
On February 16, 2023, NIST released a status update on the 3rd revision of NIST SP 800-171. In their statement, NIST stated many changes which are under consideration – here are the most consequential changes:
- Withdrawing requirements that are either outdated, no longer relevant, or redundant with other requirements
- Reassigning some of the NFO controls to the CUI, NCO, or FED tailoring categories
- Adding new requirements based on changes to the NIST moderate control baseline in SP 800-53B and the reassignment of selected NFO controls
- Combining requirements where appropriate for greater efficiency
- Adding organizationally-defined parameters to selected requirements to achieve greater specificity of control requirements
- Adding a CUI Overlay appendix using the controls from SP 800-53, Revision 5 and the tailored moderate baseline from SP 800-53B
The (1) withdrawing of outdated requirements will be beneficial. Some of NIST 800-171’s guidance needs to be brought up to date with NIST’s latest guidance, such as password management.
The (2) reassignment of “some of the” NFO controls to the CUI tailoring category will impact the number of security controls.
The (5) addition of organizationally-defined parameters (ODPs) will bring NIST 800-171 closer to NIST 800-53’s format. ODPs are in the text of the control, such as “Lock the computers screen after [organization defined amount of inactivity] minutes of inactivity.
ODPs allow for more control of the security controls at the organization level by allowing policies and procedures to populate the ODPs. ODPs do provide another layer of complexity when managing the security requirements, but they also offer an opportunity for automation.
The (6) CUI overlay appears to be a simple reference that is similar to the existing appendices in NIST 800-171 r2.
May 2023 Draft Release of NIST 800-171 r3
NIST released the draft of NIST 800-171 r3 on May 10, 2023. The draft was very well received by the community. Although there are still 110 controls, there are some notable changes. NIST highlighted the changes in a FAQ, and provided a detailed analysis of the changes.
Here are some additional interesting changes:
- Addition of the “Planning” family.
- Addition of 3.15.2, “System Security Plan.”
- Addition of 3.12.5, “Independent Assessment.”
- Change 3.5.3, “Multi-factor Authentication,” to be required for all accounts no matter the access method.
- Previously it was only required for access to privileged accounts and network access to non-privileged accounts.
June 2023 Status Update from NIST
NIST held a webinar on June 10, 2023 where they highlighted the latest updates of the draft.
The slide deck is here. Here is the overview slide highlighting the significant changes:
Here is the timeline slide. The slide indicates that NIST 800-171 and NIST 800-171A will be completed in Q2 of FY24.
What Does This Mean for CMMC?
The DoD’s Cybersecurity Maturity Model Certification (CMMC) is currently in the federal rulemaking process. The output of this process will either be an interim-final rule or a proposed rule.
If the rulemaking process results in an interim-final rule, then we would see CMMC requirements in contracts in 2023. If the rulemaking process results in a proposed rule, then we would likely see CMMC requirements in contracts in 2024.
The release and incorporation of NIST 800-171 r3 is a complication that the DoD doesn’t need during its CMMC rulemaking process. CMMC currently relies on NIST 800-171 r2 and NIST 800-172. The least complex solution for DoD is to push the implementation of the to-be released NIST 800-171 r3 right.
I personally believe it could be a few years before DoD requires the implementation of the to-be released NIST 800-171 r3, however, many CMMC professionals believe that the DoD will begin to require the implementation of NIST 800-171 r3 the moment NIST releases the final version.
DFARS 252.204-7012 is the current contractual driving force requiring the implementation of NIST 800-171. It requires that contractors implement the version of NIST 800-171 in effect at the time of the solicitation, OR as authorized by the contracting officer.
To perform an orderly transition, the DoD could issue guidance requiring the implementation of NIST 800-171 r3 in new CMMC certifications by a certain date, and direct contracting officers to specify NIST 800-171 r2 in contracts until that date. This would allow the bulk of organizations to obtain their initial CMMC certifications under NIST 800-171 r2, and then recertify under NIST 800-171 r3. Historically, the DoD has used this approach when new revisions of NIST SP 800-53 have been released.
To perform an orderly transition, the following documentation (among others) would need to be updated:
- NIST updates NIST 800-171A
- DoD updates:
- DoD Assessment Methodology (ie SPRS scoring)
- CMMC implementation guidance
- CMMC assessment guidance
- Cyber AB updates the CMMC Assessment Process (CAP)
Additionally, NIST has indicated that there will be updates to NIST 800-172 (and NIST 800-172A), the document which DoD will pull its CMMC level 3 requirements from. From what we know today, NIST has not yet begun to update NIST 800-172, so the final version of NIST 800-172 and NIST 800-172A could be released in 2024.
These NIST SP updates do complicate the situation for DoD, and it will be very interesting to see how they handle this. Once the new CMMC rule is released, they will be able to communicate how they will address this.