The National Institute of Standards and Technology has added two new data formats intended to improve the usability of four publications that are foundational to the Pentagon’s cyber certification program.
The publications focus on the protection of controlled unclassified information. NIST Special Publication 800-171 is the basis for level two of the Pentagon’s Cybersecurity Maturity Model Certification program. NIST Special Publication 800-171A provides assessment procedures to operationalize the publication.
NIST Special Publication 800-172 builds on both documents by adding in enhanced security requirements for advanced persistent threats and high value assets. CMMC level three will include a subset of the controls outlined in NIST 800-172.
NIST published a corresponding assessment process guide, Special Publication 800-172A, in March.
The new data formats translate the security requirements into Excel spreadsheets and the .csv format. Each control is broken down by family; identifier; “Sort-As”; “enhanced security requirements”; discussion; “protection category”; and “adversary effects.”
NIST plans to release the draft version of NIST 800-171 Rev. 3 later this year. NIST fellow Ron Ross said the publication will address “what changes should be made to NIST 800-171 to “bring it up to code” and make sure the controls derived from NIST Special Publication 800-53 Rev. 5 still meet the “moderate impact requirements.”
According to DOD assessment leader John Ellis, the Defense Department plans to propose additional controls from the CMMC 1.0 model for inclusion in the NIST 800-171 update.