The National Institute of Standards and Technology is the United States agency tasked to advance measurement science, standards and technology in ways that enhance the economic security and improve quality of life.
Federal Information Security Modernization Act (FISMA) established NIST as the responsible agency for development of information security standards and guidelines for federal information systems.
NIST published Special Publication 800-171 titled “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” or NIST 800-171 for short.
NIST based 800-171 on 800-53, but removed controls, or parts of controls, that were uniquely catered to federal organizations. The framework consists of 14 Control Families, whereas CMMC contains 17 Domains.
NIST 800-171 is a guideline for non-federal organizations that must securely process CUI content, within internal and external information systems, in support of federal activities.
For Government Contractors supporting the Department of Defense (DoD), CMMC 2.0 Level 2 and DFARS 7012 require NIST 800-171 compliance across information systems and policies.
CMMC compliance is mandatory for all DoD contractors and subcontractors who handle CUI. By adhering to the controls outlined in NIST SP 800-171 and obtaining third-party certification of its implementation, organizations can achieve CMMC compliance.
Although revision 3 won’t be required for defense contractors for some time, it pays to see exactly what the future holds.
On the surface, SP 800-171 revision 3 has fewer requirements than revision 2. However, under the hood of SP 800-171Ar3 there is a 32% increase in the number of verification questions that need to be answered during an assessment (like CMMC).
Overall, 171r3 is progress in the right direction, even if it comes with a few warts.
NIST SP 800-171 revision 3 has 97 security requirements. That’s a 12% decrease compared to the 110 requirements in NIST SP 800-171 revision 2, right? Not exactly.
Under the hood, NIST SP 800-171 revision 3 is derived from its much bigger brother, NIST SP 800-53. NIST has decided that 156 of the 287 security controls in the NIST SP 800-53 revision 5 “moderate baseline” are “directly related to protecting the confidentiality of Controlled Unclassified Information”.
As a result, the 97 requirements in SP 800-171 revision 3 actually represent 156 distinct security controls (at least partially). The final number of requirements in SP 800-171 revision 3 is mostly a function of how NIST decided to merge multiple controls into single (sometimes massive) requirements.
There are 33 “withdrawn” requirements in NIST SP 800-171 revision 3. However, nearly every withdrawn requirement is simple integrated into the language of other requirements in the standard (something I like to call “the law of the conservation of NIST controls”).
The illusion of withdrawn controls creates the situation in which the overall number of requirements has decreased from SP 800-171 revision 2 to revision 3 while the total number of required tasks has increased.
For example:
NIST SP 800-171 revision 2 includes the requirement to provide security awareness training on insider threats.
However, this requirement is “withdrawn” NIST SP 800-171 revision 3.
When we look at the NIST SP 800-171 revision version of requirement 3.2.1 we see that the insider threat requirement is simply nested inside rather than being “withdrawn”.
NIST SP 800-171A revision 3 has 422 requirements. In NIST parlance these are known as “determination statements” (often referred to as “assessment objectives”).
Every security control in NIST SP 800-53 has a corresponding verification procedure in NIST SP 800-53A (a standalone document). Just like its big brother, NIST SP 800-171 requirements derived from NIST SP 800-53 controls have corresponding verification procedures in NIST SP 800-171A (derived from NIST SP 800-53A).
Important: In order for a security requirement to be considered “fully implemented” and therefore eligible for achieve a full score under CMMC and the DoD Assessment Methodology (DoDAM), every one of its determination statements needs to be satisfied.
NIST SP 800-171A revision 2 has 320 determination statements corresponding to the 110 requirements in SP 800-171A. The jump to 422 determination statements in NIST SP 800-171A revision 3 is a 32% increase. As noted above, don’t be lulled by the apparent decrease from 110 requirements to 97 requirements between the SP 800-171 revisions – defense contractors must orient themselves to SP 800-171A to ensure the proper level of granularity needed to successful implementation, verification, and CMMC certification.
NIST SP 800-171 revision 3 has 88 organizationally defined parameters (ODPs). Together with the 422 determination statements in NIST SP 800-171A, defense contractors have 510 items that must be verified in order for all 97 requirements in NIST SP 800-171 revision 3 to be considered “fully implemented”.
Organizationally defined parameters are variables within NIST security controls and requirements. These variables must be defined in order to make a NIST security control measurable and verifiable. Until ODPs are defined a given set of NIST security requirements (like SP 800-171) is like a really unfunny set of Mad Libs.
“The organization” defines organizationally defined parameters. Unfortunately, who the organization is can be very situational. In the case of SP 800-171, a standard created by the government for the protection of government data, the organization ought to be the government. However, there has been little effort to address this problem since SP 800-171 was published in 2015, let alone harmonize the definitions.
I anticipate that DoD will eventually many of the ODPs in NIST SP 800-171 revision 3. Stay tuned.
Sort of. NIST SP 800-171 revision 3 has 17 controls families. In comparison, NIST SP 800-171 revision 2 has only 14 control families.
The three “new” control families in NIST SP 800-171 revision 3 are:
Defense contractors who have implemented SP 800-171 revision 2 have already implemented requirements from the PL (requirement 3.12.3 – System Security Plan) and SA (requirement 3.13.2 – Security Architecture) families.
However, NIST SP 800-171 revision 3 now includes the following requirements:
In previous revisions of NIST SP 800-171, security controls “expected to be routinely satisfied by nonfederal organizations without specification” were “tailored” out of the NIST SP 800-53 moderate baseline with the tag “NFO”.
In essence, NIST made more than 60 assumptions about security controls that federal contractors ought to have already had in place.
The problem, of course, is that unless a requirement is specified there is on guarantee that the requirement will be implemented at all.
For example, policies and procedures are necessary to document management decisions and verify that the security control environment is implemented correctly, operating as intended, and producing the desired outcomes.
However, policies and procedures are an NFO control in NIST SP 800-171 revision 2. As a result, many organizations will fail their assessments under programs like CMMC simply because they didn’t know they were required to maintain comprehensive documentation. Technically, policies aren’t a requirement in SP 800-171r2, but you can’t fully implement SP 800-171r2 without them.
No NFOs in SP 800-171 revision 3? Good riddance.
NIST SP 800-171 revision 3 introduces a new tailoring category: “ORC”.
When “the outcome of the control related to protecting the confidentiality of Controlled Unclassified Information is adequately covered by other related controls” they are designated as “ORC” controls.
There are 11 ORC controls in NIST SP 800-171 revision 3.
For example:
NIST SP 800-171 revision 3 lists the Supply Chain Risk Management control SR-12 as an “ORC control”:
See: NIST SP 800-171 revision 3 Appendix C “Tailoring Criteria”
See: NIST SP 800-53 revision 5
In the “CUI overlay” included in the supplemental material to NIST SP 800-171 revision 3, NIST indicates that SR-12 is satisfied by the NIST SP 800-53 control MP-6:
See: NIST SP 800-53 revision 5
The SP 800-53 security control MP-6 is represented as the SP 800-171 security requirement 3.8.3
Clearly, MP-6 refers to procedures that occur prior to disposal while SR-12 refers to the process of secure disposal directly. Obviously, these are closely related, but they are not the same. Instead of merging the two controls we are left with an open question about how to address SR-12.
While this seems like a convenient decision I predict that it will cause significant confusion in the world of CMMC assessments due to ORC controls being required but allegedly satisfied by distinctly different controls (however closely related they may be). Stay tuned.
I don’t think defense contractors will be required to implement (and have that implementation assessed by CMMC) for 2 – 3 years. My current ballpark estimate: sometime between the second half of 2026 and the first half of 2027.
Thanks to the recent DFARS 252.204-7012 “class deviation”, defense contractors are required to implement and maintain NIST SP 800-171 revision 2 indefinitely.
Additionally, the CMMC proposed rule specifies that defense contractors will be assessed against the requirements in NIST SP 800-171 revision 2.
To DoD’s credit they aren’t going to allow a situation in which defense contractors need to juggle two different NIST SP 800-171 baselines: one for DFARS 252.204-7012 compliance and one for CMMC verification.
We expect the CMMC final rule to be published by the end of 2024. After that point DoD will begin a new round of rulemaking to update the CMMC program to point to NIST SP 800-171 revision 3.
Once that rule is final DoD will likely update or rescind the class deviation in order to synchronize DFARS 252.204-7012 with CMMC.
There are several variables that could affect this timeline that we will be monitoring closely over the next several months. Stay tuned.
With Jacob Horne and Jason Sproesser
We sum up the news and developments relevant to CMMC, DFARS, and NIST standards such as SP 800-171, SP 800-53, the NIST Cybersecurity Framework, and others.