On Tuesday, May 14th the National Institute for Standards and Technology (NIST) published, in final form, the NIST SP 800-171 Rev. 3. With this publication comes several updates to reflect the ongoing changes within the threat landscape and provides additional guidance for organizations to better secure their CUI.
NIST is an agency of the U.S. Department of Commerce that exists to "promote innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life". NIST is responsible for the "NIST Cybersecurity framework" (CSF), a set of guidelines meant to reduce cybersecurity risks. NIST 800-171 is a regulatory framework developed by NIST to protect assets that store, create, transmit, or process controlled unclassified information (CUI). Any contractor working with the Department of Defense (DoD) must comply with NIST 800-171. In 2017, NIST SP 800-171 Rev. 2 was published and adopted by the DoD into DFARS 252.204-7012 "Safeguarding Covered Defense Information and Cyber Incident Reporting Regulations".
With Revision 3 of NIST 800-171, comes several significant changes contractors should be aware of. Firstly, Rev. 3 introduces refined assessment procedures organized into 17 security requirement families. This addresses the need for consistent and comprehensive assessments across varying organizations and industries. Revision 3 also changes requirements pertaining to cryptographic protections. FIPS 140-2 compliance is no longer included under Rev. 3, however organizations must still implement required encryption methods. Revision 3 also includes several Organization-Defined Parameters (ODPs), which offers more flexibility in how organization implement the required controls within their business. This allows greater freedom and enables organizations to customize the security controls based off their unique business needs.
With the publication of Rev. 3, many contractors may be wondering how this effects their CMMC compliance status and if they will have to budget for additional controls. On May 2nd, the DoD announced that they have authorized a "class deviation", which allows for contractors to comply with Rev. 2 rather than the version currently in effect.
Contractors should continue to pursue adherence to the previously established NIST 800-171 Rev. 2 before implementing changes outlined in Rev. 3. This means that organizations do not have to worry about budgeting for additional controls, expanding their implementation timeline, or redoing prior compliance work.
CorpInfoTech is a managed service provider that offers IT and cybersecurity solutions to small-medium sized businesses. We offer a variety of services including managed firewall, vulnerability scanning and management, security assessments, and compliance aid. For contractors that have to comply with CMMC, and the requirements outlined in NIST 800-171, CorpInfoTech is able to help their clients achieve and maintain compliance. As a certified RPO (Registered Provider Organization) under CREST, CorpInfoTech has proven our services effective in implementing CMMC and NIST compliance.
Contact CorpInfoTech today to see how our services can assure your businesses security!