The government’s suggested changes to NIST 800-171 were recently released. This third revision of the standard presents a handful of changes and places focus on supply chain risk. What do these proposed changes mean and how should your organization move forward?
At a high level, here’s what is being proposed.
- Independent assessors: Rev 3 includes language stating that your company will need to use an independent assessor to guide you through your assessment process, although the details of this change are yet to be finalized. Independent assessment could be interpreted as functionally independent or organizationally independent. It seems as though the drafters of rev 3 are looking for a set of fresh eyes as relates to the implementation of the requirements. In short, it appears as though they don’t want practitioners assessing themselves.
- Supply chain risk management: With all the recent coverage about security breaches at various points along the supply chain, it should come as no surprise that supply chain risk management is becoming front and center. While DFARS 7012 clause mandates that you must flow down that clause to subcontractors, rev 3 addresses supply chain risk management at the contractor level.
- The rest of the changes in the document: In previous revisions, there were duplicative controls. Rev 3 puts some additional efficiencies in place, as well as provides more information as to what would be considered ‘in scope’ for the standard.
Take a closer look at the changes.
| NIST SP 800-171 rev. 2 | NIST SP 800-171 rev. 3 | |
| Current verbiage | Proposed verbiage | What the change addresses |
| A federal information system is a system that is used or operated by an executive agency, by a contractor on behalf of an executive agency. A system that does not meet such criteria is a nonfederal system. | Nonfederal systems include information (IT) systems, operational technology (OT) systems, and Internet of Things (IoT) devices. | Addresses more directly what a nonfederal system is by providing examples. |
| System components include, for example, mainframes, workstations, servers; input and output devices; network components; operating systems; virtual machines; and applications. | System components include workstations, servers, notebook computers, smartphones, tablets, input and output devices, network components, operating systems, virtual machines, database management systems, and applications. | Builds out systems components list to include more recently available technologies. |
| Chapter Three describes 14 families of security requirements for protecting the confidentiality of CUI in nonfederal systems and organizations. | The security requirements are organized into 17 families, as illustrated in Table 1. New security requirement families include Planning, System and Services Acquisition, and Supply Chain Risk Management. | Adds three new security requirement families that address supply chain risk management. |
| Non-existent | Requirement 3.12.5 – Use independent assessors or assessment teams to assess controls. | Adds a new requirement mandating independent assessment. |
| Appendix E – Tailoring Criteria. NFO: Expected to be routinely satisfied by nonfederal organizations without specifications. | Appendix C – Tailoring Criteria. NFO: Expected to be implemented by nonfederal organizations without specifications. | Strengthens language about tailoring criteria. |
Note that at this point these are proposed changes. Moving forward you should continue to focus on assessing your organization against the existing requirements of DFARS 7012 and NIST 800-171, rev 2. Know that you can rely on us to keep you informed about any changes and their impact on your organization as they become approved and formalized.
If you have any questions about how to get started on your NIST 800-171 assessment, contact us. We’re here to help.