NIST 800-171 Rev 3: What This Update Means For Everyone Handling CUI

If you are a contractor or subcontractor working with the Department of Defense (DoD), you’re likely aware of NIST Special Publication 800-171 (NIST SP 800-171) and the importance of protecting controlled unclassified information (CUI).

NIST 800-171 outlines the security controls needed to sufficiently protect CUI. Additionally, the cybersecurity framework outlined in NIST 800-171 has become the “de facto” guide to follow if your organization works with the DoD and needs CMMC certification.

You may be wondering where to start with NIST compliance, or you may have already begun your compliance journey and have your timelines planned out. However, there has been a revision to the NIST 800-171 controls and requirements that you need to know about.

In this article, we will cover what the significant changes are to NIST 800-171 Revision 3 and whether or not you need to be compliant with this latest revision.

We handle the IT needs of companies of all sizes, including those that are contractors, subcontractors, or suppliers for the U.S. government. We’ve helped organizations just like yours through NIST 800-171 certification, so we know the steps involved.

We publish articles like these that contain the information business leaders need to make the best IT decisions for their business. We think it’s imperative that you have unbiased information you can use to keep your business running smoothly, whether you work with us or not.

What Is NIST 800-171 & Why is NIST Compliance Important?

Let’s do a quick recap of what NIST 800-171 is.  More than 10 years ago, the National Institute of Standards and Technology (NIST) issued a special publication (known as NIST 800-171 or NIST SP 800-171).

NIST 800-171 outlines essential security requirements and provides a cybersecurity framework for organizations to follow to protect controlled unclassified information or CUI, if they work with the government.

What is CUI?

CUI is essentially government data that is unclassified but still considered confidential and therefore needs safeguarding. You can think of it as data that doesn’t fall under the traditional classified or top-secret bucket but is still important and warrants protection.

Examples include design diagrams, internal government reports, technical data and drawings for parts to be made specifically for products to be provided to the federal government, or personally identifiable information (PII) used in the performance of federal government contracts.

Related Article: What Is Controlled Unclassified Information (CUI) In NIST 800-171?

Why Is CUI Protection Important?

Protecting CUI is important because it allows only authorized individuals to access this information and ensures it doesn’t fall into the wrong hands.

The big takeaway in understanding NIST 800-171 is that if you handle CUI and work with DoD, to maintain and win future contracts your organization will need to follow and be compliant with the cybersecurity framework and controls outlined in NIST 800-171.

Related Article: What Are The 14 Controls Identified In NIST 800-171?

What Businesses Does NIST 800-171 Apply To?

In general terms the NIST compliance standards outlined in NIST 800-171 must be met by anyone who processes, stores or transmits CUI. This includes contractors and subcontractors for the DoD, GSA, NASA, and other federal or state agencies.

If you aren’t sure whether this affects your business, ask yourself these questions:

1. Does my organization work on federal government contracts? If so, with which agencies or departments?
   
   
2. Does my organization work with subcontractors that have direct federal contracts? If so, with which agencies or departments?
   
   
3. Is my organization a subcontractor or supplier to an organization that contracts with the federal government?
   
   
4. Does my organization produce a unique product that is part of a government contract? (If so, make sure you read and understand the terms of your contract. If you still aren’t sure, ask your customer.)

If you answer yes to any of the above questions, NIST 800-171 likely applies to your organization.

What’s New In The Latest NIST 800-171 Rev 3?

Now that you have a better understanding of what types of businesses may need to be compliant, and why ensuring compliance and protecting CUI is crucial for securing and maintaining future contracts with the DoD, let's discuss why compliance is not a set-it-and-forget-it process. NIST 800-171 compliance is a perfect example of this.

Over the last 10 years NIST 800-171 has undergone several revisions and updates, which all organizations must adhere to in order to secure future contracts and maintain current ones with the DoD.

This latest Revision 3 introduces several critical changes that contractors and subcontractors need to be aware of. Let's look at what has changed.

1.  Streamlined Security Controls

A significant update in NIST 800-171 Rev 3 is the addition of new streamlined security controls. With the constant rise of cyber threats, these new streamlined controls aim to tackle emerging cyber threats and vulnerabilities, putting organizations in a better position to protect CUI. Some of the key streamlined controls are:

• • Enhanced access controls to ensure that only authorized personnel can access sensitive information.
    
    
  • Enhanced encryption standards and updated requirements to protect data being stored or shared.
    
    
  • Improved Incident response processes that outline clear defined protocols for reporting and responding to cyber incidents more effectively.

NIST 800-171 Rev 3 also tightens guidelines and security controls for storing and processing data in the cloud, and updates requirements for mobile device management to ensure the security of mobile devices accessing CUI.

2. New Control Families

NIST 800-171 Rev 2 had 14 control families, while Rev 3 adds three new ones, increasing the total to 17.

To simplify compliance, reduce overlapping controls, and provide clear direction, the latest revision has reduced the number of requirements from 110 in Rev 2 to 97 today. The three new control families introduced are:

• • Planning (PL): focuses on developing strategic plans to manage security risks.
    
    
  • System and Service Acquisition (SA): ensures security is considered during the acquisition of systems and services.
    
    
  • Supply Chain Risk Management (SR): addresses risks associated with the supply chain to protect CUI from cyber criminals.

3. More Flexibility With Organization-Defined Parameters (ODPs)

NIST 800-171 Rev 3 introduces more Organization-Defined Parameters (ODPs). ODPs provide organizations with additional flexibility in compliance. It allows them to tailor and define specific parameters for certain controls to their business needs.

This makes it easier for businesses to map NIST 800-171 to other frameworks they may already be following, simplifying integration with existing security protocols.

4. Emphasis On Security Assessments

NIST 800-171 Rev 3 increases the responsibilities of contractors and subcontractors and puts a greater empahsis on having regular security assessments such as vulnerability scans and penetration testing to identify and mitigate security risks.

These new guidelines also apply to supply chain contractors and subcontractors to ensure that all companies within the supply chain follow the same updated security standards.

Related Article: How To Assess Cyber Risk: IT Vulnerability Scan Vs. Penetration Test

Do You Need To Be Compliant With NIST 800-171 Rev 3?

At this point, you may be feeling overwhelmed—and that’s okay. Compliance is complex and often a moving target, so it’s important to understand what has changed and whether you need to adjust your compliance efforts and strategy.

We’ve outlined the key changes and updates in NIST 800-171 Revision 3 and how it differs from Revision 2.

So, here’s the big question: Do you need to comply with Revision 3, and if you are already compliant with Revision 2, do you need to take additional steps to align your security posture with Revision 3?

Here's where things get interesting: currently, the DoD has aligned DFARS 7012 and CMMC 2.0 with NIST 800-171 Revision 2. This means, for now, your compliance efforts and strategy should continue to focus on aligning with Revision 2 for DoD contracts.

Learn More: Department of Defense Issues Class Deviation on Cybersecurity Standards for Covered Contractor Information Systems

What's The Bottom Line:

In this article, we’ve defined NIST 800-171 and explained why compliance is crucial for protecting CUI and securing current and future contracts with the DoD. We have also helped you understand how to determine if your organization may need to achieve compliance, if you haven’t already started your journey.

Furthermore, we have outlined the changes between Rev 2 and Rev 3. We have also cleared up any confusion regarding which version you need to be compliant with in order to work with the DoD.

While NIST 800-171 Rev 3 requirements aren’t mandatory yet, they do provide valuable updates. These updates give organizations a more streamlined and enhanced cybersecurity posture, and offers them a better chance at protecting CUI and themselves from cyber criminals.

At Kelser, a managed IT services provider, we help businesses navigate their compliance journey every day. We believe that no matter where you are in your compliance journey, it’s a good idea to adopt a continuous improvement mentality.

If you have a large internal IT staff, you may have all the resources you need to ensure that your organization can successfully prepare and implement the necessary policies and procedures for NIST Compliance.

If you don’t have a full in-house IT team or a team that has little compliance experience, you may want to explore working with an external IT provider who has compliance expertise and staff to guide and advise you.

Managed IT services help organizations adopt many of the requirements outlined in NIST 800-171 and ultimately prepare for the next step, CMMC certification, which is mandatory for government contractors and subcontractors. 

We know managed IT support isn’t right for every organization. We publish articles like this one so that business leaders have the information you need to keep your data and infrastructure safe and understand how to move forward whether you choose to work with us or not.

If you are feeling overwhelmed and just want to talk to a human, we get it too! The button below will connect you to a simple form. Provide your name and email and one of our IT compliance experts will reach out to schedule a 15-minute call to learn about your current technology situation, pain points, and compliance goals. (No sales pitch; just a conversation.)