On May 10, the National Institute of Standards and Technology (NIST) released its initial public draft of SP 800-171, Revision 3, a set of updated guidelines aimed at helping organizations better handle confidential unclassified information (CUI) that resides on non-federal systems.
The draft is part of an ongoing effort to clarify specific technical and non-technical requirements, increase flexibility for federal contractors implementing cyber programs, and strengthen defenses as the cyber threat environment rapidly evolves.
The public draft of SP 800-171, Revision 3 aims to modernize multiple areas of existing guidelines, including:
- Removing outdated cybersecurity standards to reflect current cybersecurity best practices.
- Introducing “Organization-Defined Parameters,” which will be used by the government to specify parameters and provide greater flexibility to contractors to implement tailored cybersecurity approaches.
- Changing security requirements to reflect updates in NIST SP 800-53, Revision 5 and the NIST SP 800-53B moderate control baseline.
- Creating a prototype CUI overlay.
- Providing additional resources to help organizations mitigate risk.
SP 800-171 impacts any organization that processes or stores CUI on behalf of the U.S. government, including contractors for the Department of Defense (DOD), universities and research institutions that receive federal grants, or organizations providing services to government agencies. Moreover, SP 800-171 underpins many federal cybersecurity standards in the Defense Federal Acquisition Regulation Supplement (DFARS) and the DOD’s Cybersecurity Maturity Model Certification (CMMC) program.
While updating policies and adding flexibility, changes in SP 800-171, Revision 3 also reflect a desire to ensure contractor defenses are adequate to deal with a rapidly evolving threat. Ron Ross, a NIST fellow and author of the public draft, stated, “[m]any of the newly added requirements specifically address threats to CUI, which recently has been a target of state-level espionage . . . [w]e want to implement and maintain state-of-the-practice defenses because the threat space is changing constantly. We tried to express those requirements in a way that shows contractors what we do and why in federal cybersecurity. There’s more useful detail now with less ambiguity.”
SP 800-171 was first published in 2015. It has since been updated twice. In December 2016, NIST published Revision 1 of SP 800-171, and then in February 2020, NIST published SP 800-171, Revision 2. The public draft of SP 800-171, Revision 3, follows a pre-draft call for comments published on July 19, 2022. NIST anticipates issuing one more draft version of Revision 3 before publishing a final version in early 2024. Finally, NIST is hosting a webinar on June 6, 2023, to provide an overview of the significant changes in SP 800-171, Revision 3 and is accepting public comments on the public draft through July 14, 2023.