The National Institute of Standards and Technology in 2022 will update its publication guiding agencies and industry on how to secure controlled unclassified information, a key component of the Pentagon's Cybersecurity Maturity Model Certification program, according to lead author Ron Ross.
NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” provides a tailored approach on how to use NIST’s massive catalog for security and privacy controls, known as Special Publication 800-53, using the moderate baseline and other requirements in Federal Information Processing Standards Publication (FIPS) 200.
NIST published NIST 800-53 Rev. 5 in September 2020, which was described in a NIST blog post as a “complete renovation” and the “first comprehensive catalog of security and privacy controls that can be used to manage risk for organizations of any sector and size, and all types of systems -- from super computers to industrial control systems to Internet of Things (IoT) devices.”
As a result, Ross told Inside Cybersecurity, NIST will determine what changes should be made to NIST 800-171 to “bring it up to code” and make sure the controls derived from NIST 800-53 still meet the “moderate impact requirements.”
There are currently 110 controls in NIST 800-171 to provide agencies with recommended security requirements for maintaining the confidentiality of CUI stored on government contractor systems.
NIST also plans to seek input from partners in government and industry to determine whether the current requirements are “effective” and meet their needs today, Ross said, adding he does not expect the new revision to be “drastically different” because NIST knows any changes made could cause a “ripple effect” on measures taken by stakeholders to secure CUI.
The Pentagon’s CMMC program relies on NIST 800-171 to provide security requirements for level two. The program was recently changed to eliminate extra level two controls developed by DOD as part of an effort to streamline the model and create a single standard that could be used for civilian agencies that choose to adopt CMMC down the line.
NIST doesn’t establish mandatory standards for industry, but Ross said agencies have the ability to incorporate NIST publications into their contractor requirements. DOD changed its acquisition rules in 2017 to require agencies to self-attest their compliance with the 110 controls in NIST 800-171, and CMMC 2.0 establishes rules for agencies to provide those compliance details to DOD.
Ross noted NIST 800-171 has a “large customer base” and is heavily used by DOD and its defense industrial base. However, Ross said “how DOD uses 800-171 is up to them.”
Industry is largely supportive of NIST’s approach to develop voluntary cybersecurity standards, which relies on getting input from a variety of partners through requests for information, comments on draft publications and holding workshops.
The CMMC program will roll out after two rulemaking processes to change DOD’s acquisition rules are completed, which DOD officials say could take anywhere from nine to 24 months.
It is not clear whether NIST’s own process to update NIST 800-171 could impact CMMC level two. However, DOD has stated that any changes to the CMMC 2.0 maturity model for new level two will be developed in collaboration with NIST.
The CMMC 2.0 maturity model and accompanying assessment guides will be released by the end of November, according to DOD officials.
CMMC 2.0 level three will be based on a subset of requirements in NIST 800-172, which builds on NIST 800-171 to address advanced persistent threats. Ross said NIST 800-172 is in “good shape” right now and has no plan to update it in 2022.
Ross said NIST is currently working on companion publication 800-172A to enable organizations to conduct tailored assessments on the security requirements, and Ross said it will be released in first quarter of 2022.