The National Institute of Standards and Technology will hold a webinar on June 6 to provide an overview of changes in the first draft of revision three for Special Publication 800-171, a foundational document that guides how agencies set cyber policy for contractors on protecting sensitive federal data.
The publication offers a set of requirements for controlled unclassified information with new details on how to tailor the security controls to meet an agency’s needs and the assessment process. It was released on Wednesday along with accompanying mapping spreadsheets.
An analysis spreadsheet comparing the revision three draft to revision two says there are 48 “significant changes” to the security requirements where new details are added that include “more comprehensive detail on and foundational tasks for achieving the outcome of the requirement.” It says there are 26 new requirements and 27 have been “withdrawn.”
The security requirements are broken down into “families” with new categories for planning, “system and services acquisition” and supply chain risk management. NIST also revised the security assessment category to include controls around “monitoring.”
The analysis spreadsheet offers a detailed mapping between the security requirements in the draft and revision two. Some of the requirements have been combined and the publication introduces “organization-defined parameters (ODP) in selected security requirements to increase flexibility and help organizations better manage risk.”
There’s also a new tailoring category, “Not Applicable (NA),” that can be used as part of the assessment process.
NIST 800-171 is derived from the agency’s massive catalog of security and privacy controls, SP 800-53, and its moderate baseline SP 800-53B. The 800-53 publications received a major update in 2020 and the 800-171 revision is largely updated for closer alignment.
A separate spreadsheet provides a “Prototype CUI Overlay” between 800-53 and the 800-171 initial public draft.
NIST says the control overlay “[s]erves as an alternative method to capture the security requirements in IPD SP 800-171 Revision 3 and offers a detailed analysis of the tailoring decisions at the control item (or requirement item)-level between SP 800-53 and SP 800-171.”
The spreadsheets can be accessed on the NIST 800-171 web page.
In a release, NIST emphasized the importance of the NIST 800-171 publication saying it “will be of particular interest to the many thousands of businesses that contract with the federal government.”
NIST said, “Federal rules that govern the protection of controlled unclassified information (CUI), which includes such sensitive data as health information, critical energy infrastructure information and intellectual property, reference the SP 800-171 security requirements. Systems that store CUI often support government programs containing critical assets, such as design specifications for weapons systems, communications systems and space systems.”
NIST fellow Ron Ross said, “Many of the newly added requirements specifically address threats to CUI, which recently has been a target of state-level espionage. We want to implement and maintain state-of-the-practice defenses because the threat space is changing constantly. We tried to express those requirements in a way that shows contractors what we do and why in federal cybersecurity. There’s more useful detail now with less ambiguity.”
Ross co-authored the publication with Victoria Pillitteri, manager of the Security Engineering and Risk Management Group in NIST’s Information Technology Laboratory.
The publication is foundational to level two of the Pentagon’s Cybersecurity Maturity Model Certification program. Pillitteri is a featured speaker at a CMMC Day event on Monday where she will make a presentation on updating the entire 800-171 series.
NIST is accepting feedback through July 14 and expects to release a second draft for public comment ahead of the final publication in early 2024. Details on the June 6 webinar will be posted next week on the 800-171 webpage.
According to NIST, “Following the publication of the final version, the authors plan to revise the set of supporting NIST publications on protecting controlled unclassified information, including SP 800-171A (security requirement assessment), SP 800-172 (enhanced security requirements) and SP 800-172A (enhanced security requirement assessment).”