Understanding NIST 800-171: Draft Changes and Key Updates Explained

In June 2015, the National Institute of Standards and Technology (NIST) released Special Publication (SP) 800-171: Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations, to provide minimum security baselines for inclusion in contracts or other agreements between federal agencies and organizations that would handle CUI on their behalf. CUI is a broad category of information that includes personally identifiable information, proprietary business information, unclassified technical information, and sensitive law enforcement data. NIST 800-171 may be more recognizable as the baseline for the Defense Federal Acquisition Regulation Supplement (DFARS) and Cybersecurity Maturity Model Certification (CMMC). As of its last revision in February 2020, NIST 800-171 had 110 control requirements spread across 14 controls families that corresponded to the families in NIST SP 800-53, which covers security controls for federal systems. In 2022, due to the constantly evolving landscape of cybersecurity and interest in soliciting usability feedback from adopting organizations, NIST determined that an update to the framework was necessary.

NIST 800-171 Revision 3

NIST called for comments in July 2022, and 60 responding organizations provided feedback to shape the framework’s future. On May 10^th, 2023, NIST released the initial public draft version of 800-171 Revision 3, which brings substantial changes. The primary difference is an expansion in scope to cover the additional control families of Planning, System and Services Acquisition, and Supply Chain Risk Management, along with 16 single control additions spread across the original 14 families. This change aligns NIST 800-171 with the NIST 800-53 revision 5 moderate baseline, which will now serve as its single authoritative source. Despite this expansion, there is a net decrease in controls from 110 to 109, primarily due to the consolidation of existing controls. The other principal change is a dramatically increased level of detail in control descriptions, which helps to align organizations, assessors, and frameworks. Therefore, anyone under the governance of NIST 800-171 must review this latest version, or the accompanying change analysis spreadsheet, to ensure that they are aware of the new controls and remain compliant with the clarified scopes of the existing controls. 

Alignment with NIST 800-53

The primary reasons for releasing this updated NIST 800-171 version were to enhance its usability and clarity. This was achieved by aligning NIST 800-171 with the NIST 800-53 revision 5 moderate baseline and removing references to FIPS 200. This decision makes framework knowledge and resources more transferrable and informed by public comments that the differences between public and private security and risk management frameworks were overwhelming. This refocusing also eliminates the distinction between basic and derived security requirements, provides control titles, and adds additional detail to control. These changes improve the clarity of the framework and ensure that organizations and assessors are aligned in their interpretations of the controls. A critical new detail is the use of organization-defined parameters (ODPs) that allow organizations and their federal partners the flexibility to assess and manage their risk. These ODPs range from specific time frames before a network connection is terminated, to general parameters, such as the accounts allowed in an information system. They should all be clearly defined in a mature program and enable federal agencies to tailor minimum requirements for organizations they engage with, similar to FedRAMP.

Specific Control Changes

These overarching changes are accompanied by additional individual controls that expand the requirements. The most significant differences are the new families: Planning, System and Services Acquisition, and Supply Chain Risk Management. The Planning family calls for specific Rules of Behavior documentation surrounding CUI and formal policy describing the development and review of the system security plan (SSP). The System and Services Acquisition and Supply Chain Risk Management families overlap and introduce requirements for programs that assess and manage external suppliers and service providers. Notably, only four controls were removed: Voice over Internet Protocol (VoIP), password generations, automatic disabling of inactive identifiers, and the maintenance of organizational systems. For the remaining changes, it is worthwhile to reacquaint yourself using the available resources included below or to leverage your now-applicable NIST 800-53 knowledge.

NIST 800-171 Next Steps

The updated NIST 800-171 framework also introduces a specific requirement for the use of outside assessors. Tevora assists organizations of all sizes and industries currently using NIST 800-171 internally or seeking to implement the framework by assessing policies, procedures, tools, environments, and more to develop tailored security initiatives and consistently improve security postures. For questions regarding how Tevora’s services and team of specialists can assist in preparing for the upcoming NIST 800-171 changes, call 833.292.1609 or e-mail sales@tevora.com

Comments on the draft version of NIST 800-171 Revision 3 have closed and are currently being reviewed by NIST prior to the finalization of the framework.

We Can Help

If you have questions or would like help bringing your organization into compliance, just give us a call at (833) 292-1609 or email us at sales@tevora.com.