NIST 800-171 Rev 3 announcement

NIST 800-171 Rev 3 Announcement

With cyber threats constantly evolving, the federal government has to work overtime to stay a step ahead of cyber criminals and find ways to protect sensitive data. Of course, this can leave federal contractors feeling like they are constantly playing catchup to meet their compliance obligations as security protocols seem to be constantly changing. This is particularly true for organizations that must comply with NIST SP 800-171, as this framework has once again been updated with the recent release of Rev 3.

Designed to help government contractors safeguard CUI, NIST SP 800-171 outlines required security standards and practices that non-federal organizations that handle CUI on their networks must abide by. While CUI is not considered classified, this data is still sensitive and must be properly secured in order to protect national interests.

Yet, the release of NIST 800-171 Rev 3 may leave you wondering what’s been changed and how you can ensure you maintain compliance. To help get you started, keep reading as we take a deeper look at NIST SP 800-171, CUI, what’s new in SP 800-171 Rev 3, and the steps that you can take to ensure you maintain compliance with these new security protocols.

Introduction to NIST SP 800-171

If you are a new or aspiring government contractor and you are not familiar with NIST SP 800-171, you may find yourself wondering what this framework is and why it is important. Before we dive into what was changed in Rev 3, let’s first take a look at what NIST 800-171 does.

NIST SP 800-171 is a set of guidelines outlining how non-government organizations should handle and protect controlled unclassified information. The National Institute of Standards and Technology (NIST) is a federal agency tasked with developing cybersecurity standards to protect sensitive government information stored or handled by the federal government, third parties, partners, and contractors. The agency developed NIST SP 800-171 in 2015 to give federal contractors a standard for safeguarding controlled unclassified information (CUI) on non-federal networks to strengthen cybersecurity amidst rising threats.

NIST SP 800-171 was then established as a means to define practices and procedures government contractors must adhere to when processing and storing CUI. However, as new cyber threats have emerged and technology has changed, these guidelines have required updating several times, which led to NIST SP 800-171 Revision 3 being released in May 2024.

Understanding Controlled Unclassified Information (CUI)

To understand the role NIST 800-171 plays in protecting government data, you must first know what CUI is and why government contractors need to keep it secure. If your organization has contracts with a federal agency, you will likely hear the term “controlled unclassified information,” or CUI.

While CUI may not be top secret like classified documents, they still contain sensitive information that must be safeguarded to maintain compliance with NIST SP 800-171 guidelines. If you are unfamiliar with CUI, keep reading to learn more about what it is and the role it plays in data protection.

Definition of CUI

The Federal Trade Commission defines CUI as information that requires safeguarding or dissemination controls according to federal laws, regulations, and government-wide policies, but is not classified information. CUI is then a category of non-classified sensitive information controlled by the government that needs protecting.

History and Development of CUI

The term controlled unclassified information emerged out of a need to protect information that, while not classified, still contained sensitive government information. CUI was then introduced through an executive order by President Obama in 2010 to provide a framework to protect sensitive information and standardize the way that the federal government and its partners handle this information.

Importance of CUI in Data Protection

If your organization handles CUI, it is essential that you take steps to protect it including ensuring NIST SP 800-171 compliance due to the sensitive nature of this information. The fact is that CUI has been deemed sensitive for a reason, and even though it is not classified, this data could still threaten national security if it falls into the wrong hands. Not handling CUI properly could also cause civil or criminal sanctions to be brought against your organization, and it could damage your reputation. For organizations that handle CUI, maintaining NIST SP 800-171 compliance is essential in protecting national interests.

Who Needs to Comply with NIST 800-171?

The U.S. Government relies on many external organizations to provide essential services. However, to do their jobs effectively, these contractors often store sensitive information on their networks. Any organization that handles or transmits CUI as part of its contract with the US government must then comply with NIST SP 800-171 to ensure that this sensitive data is protected. Common organizations that may need to maintain compliance with NIST SP 800-171 include:

• Contractors for The Department of Defense (DoD)
• Contractors for The Department of Energy (DoE)
• Contractors for The Department of Homeland Security (DHS)
• Contractors for The General Services Administration (GSA)
• Contractors for The National Aeronautics and Space Administration (NASA)
• Universities and Research Institutions That Use Federal Data or are Supported by Federal Grants
• Service Providers for Federal Agencies
• And Any Other Organization That Processes, Stores, or Transfers CUI of a Federal Agency

What’s Different in NIST 800-171 Rev 3?

As a government contractor, it is likely that you have previously worked to achieve NIST 800-171 compliance and that you have stayed up to date with its previous revisions. You may then find yourself wondering what makes NIST 800-171 Rev 3 different.

As with its previous iterations, NIST 800-171 Rev 3 contains security controls that are meant to help government contractors protect CUI. To make sure NIST 800-171 meets the needs of government contractors in an ever-changing cybersecurity landscape, NIST has been working on the Rev 3 update for over a year. They spent months collecting data and altering the security requirements outlined in NIST 800-171 to better protect CUI from cyber threats. The final version of this document was released in May 2024 and contained several substantial changes compared to previous versions of NIST 800-171 including:

Streamlined Security Controls

One of the biggest updates to NIST 800-171 in Rev 3 is the addition of enhanced security controls. With cyber threats constantly on the rise and posing a threat to the security of CUI, NIST has established new streamlined controls meant to reduce cyber threats and vulnerabilities and make it easier for organizations to protect CUI in their possession.

These enhanced security controls include better access controls that are meant to ensure that only authorized personnel can access sensitive information, as well as enhanced encryption standards to help protect sensitive data being stored or shared by government contractors. Rev 3 also tightens security requirements for storing data in the cloud, and it updates mobile device management requirements for devices with access to CUI to further enhance cybersecurity.

New Control Families Added

In previous iterations, NIST 800-171 contained controls spread out across 14 families of general security topics. However, Rev 3 sees the addition of three new control families made up of nine new controls to help maintain consistency with the SP 800-53B moderate control baseline from which SP 800-171 is derived. The new control families introduced in Rev 3 are:

• Planning (PL): Focusing on developing strategic plans to manage security risks.
• System and Service Acquisition (SA): This ensures that security is considered during the acquisition of systems and services.
• Supply Chain Risk Management: Addresses risks associated with the supply chain to help protect CUI from cyber threats.

In total, NIST 800-171 Rev 3 is made of 17 control families including:

• Access Control
• Awareness and Training
• Audit and Accountability
• Assessment, Authorization, and Monitoring
• Configuration Management
• Identification and Authentication
• Incident Response
• Maintenance
• Media Protection
• Physical and Environmental Protection
• Planning
• Personnel Security
• Risk Assessment
• System and Services Acquisition
• System and Communications Protection
• System and Information Integrity
• Supply Chain Risk Management

Fewer Security Controls

While NIST 800-171 Rev 2 had 110 security controls spread out across its 14 families, Rev 3 only has 97 controls spread out across its 17 control families. This is because many controls were combined or removed entirely to simplify compliance, reduce overlapping controls, and provide clearer direction. Many of the “missing” controls weren’t removed, they were just combined with similar controls to streamline the compliance process.

Ambiguous Language is Removed

A simple but important change made in NIST SP 800-171 Rev 3 is the removal of ambiguous language to help improve clarity and simplify the implementation of the outlined security controls. For instance, the word “periodically” was previously used throughout SP 800-171, such as in control 3.12.4 which required contractors to “periodically update system security plans.” This wording’s ambiguity was confusing as contractors didn’t know how often they needed to update their security plans. This word was then removed in Rev 3 to enhance clarity.

No More Basic vs. Derived Requirements

NIST 800-171 Rev 3 also did away with the separate “basic” and “derived” security requirements outlined in Rev 2. Instead, Rev 3 uses the requirements outlined in 800-53 and reworks them so that they provide clearer and more specific guidelines for securing controlled unclassified information.

Organizationally Defined Parameters Are Introduced

NIST 800-171 Rev 3 also introduces Organizationally Defined Parameters (ODPs), which are meant to increase flexibility by allowing individual agencies to specify values for parameters within security controls. This gives federal agencies the ability to tailor controls to support specific organizational missions or business functions, manage risks, and simplify assessments by providing greater specificity. This also makes it easier for businesses to map NIST 800-171 to other frameworks they may be following, simplifying integration with their existing security protocols.

Overall, NIST made extensive and comprehensive changes to SP 800-171 in Rev 3 that enhance clarity, boost security, and make it easier for organizations subject to this framework to achieve compliance. Of course, this is by no means an exhaustive list of the changes made in Rev 3, and it is important that you review the supplemental materials provided by NIST to see for yourself how NIST 800-171 Rev 3 differs from previous iterations. You may also want to consider partnering with an MSP who has experience helping organizations similar to yours achieve and maintain NIST compliance, as they can help guide you through your responsibilities for securing CUI on your systems.

Steps to Achieve Compliance with NIST SP 800-171 Rev 3

While the process of becoming NIST SP 800-171 Rev 3 Compliant will vary for each organization, a well-structured approach is essential to ensure success. Here is a look at some of the most important steps that organizations can take to achieve compliance.

• Conduct a Gap Analysis: The first step that you should take is to review your current security practices and compare them against the updated requirements in NIST SP 800-171 Rev 3. This can help you quickly identify where changes are needed to ensure compliance.

• Develop a Compliance Plan: Based on the results of the gaps analysis, you can then develop a plan outlining the steps you’ll need to take to achieve compliance. This plan should include specific tasks that need to be performed, who will oversee these tasks, and timelines for completing each step. Make sure to prioritize actions based on risk assessments.

• Implement Required Security Measures: At this point, you should start implementing the security controls outlined in NIST SP 800-171 Rev 2. This may involve upgrading software, improving access controls, updating security policies, or implementing encryption to meet compliance requirements.

• Collect Documentation: Next, you will need to prepare audit documentation to demonstrate compliance with NIST 800-171. Documentation that you can use to help show compliance includes records on system architecture, data flow, personnel, and security procedures.

• Monitoring and Maintenance: Once your organization complies with the updated NIST 800-171 requirements, continuous monitoring and maintenance will be essential to ensure ongoing compliance.

How Agile IT Can Help You Achieve NIST SP 800-171 Rev 3 Compliance

With the release of SP 800-171 Rev 3, NIST ensured that government contractors and subcontractors have the tools that they need to protect CUI and integrate NIST 800-171 with their existing security infrastructure. As a federal contractor, maintaining compliance with SP 800-171 Rev 3 is essential in allowing you to maintain existing government contracts and acquire new ones.

Yet, achieving NIST 800-171 compliance can be complex, and you may be unsure where to start or if NIST 800-171 Rev 3 even applies to your organization. This is understandable, particularly after the Department of Defense issued a class deviation stating defense contractors subject to CMMC certification should continue using NIST 800-171 Rev 2 for now as they “provide (the) industry time for a more deliberate transition to Rev 3.”

This is why it is so important that government contractors who handle CUI work with an MSP who has experience helping organizations achieve and maintain NIST compliance. The right MSP can help you determine what regulations apply to your organization, and they can help you maintain compliance and ensure you are prepared for assessments.

If you are looking to partner with an MSP who has experience handling the unique compliance and security needs of government contractors, look no further than Agile IT. We have helped organizations comply with security standards such as NIST 800-171 and DFARS, which are essential to CMMC certification.

Feel free to contact us today, and learn how we can help you achieve and maintain NIST SP 800-171 compliance, as well as to find out how we can help guide and support you throughout the CMMC certification process.