On May 10th, 2023, NIST released Special Publication 800-171 Rev 3 (Draft) for public comment. This is the next iteration of the infamous “Protect CUI” prime directive and may have direct implications on CMMC regulations in the future. But, more importantly for now, pursuant to DFARS 252.204-7012 (b)(2)(ii)(A), covered contractor information systems are subject to 800-171 requirements, irrespective of revision, meaning that as soon as this is finalized, it will immediately supersede rev 2 and organizations will immediately be subject to compliance with the new version.
A couple of key takeaways from the draft and handy version-difference spreadsheet:
It is just a draft in public comment period (until July 14th) – so no action is required currently.
It generally takes ~6 months from public comment period to finalization.
The document itself has been cleaned up substantially and the new wording makes it a lot easier to digest. There remain ~110 controls, though some were removed, some added, some moved into other controls. The clarifying points in the controls read a lot less “government-y” than revision 2.
Aside from the 3 new control families, not a lot has changed, so the level of effort to go from 800-171 rev 2 to 800-171 rev 3 compliant should not be tremendous (for now).
Here is a handy change-analysis spreadsheet that NIST published to identify changes from revision 2 to revision 3: https://csrc.nist.gov/csrc/media/Publications/sp/800-171/rev-3/draft/documents/sp800-171r2-to-r3-ipd-analysis.xlsx
There is a prototype CUI overlay here: https://csrc.nist.gov/csrc/media/Publications/sp/800-171/rev-3/draft/documents/sp800-171r3-ipd-cui-overlay.xlsx
There is a FAQ for the decision-making process and differences here: https://csrc.nist.gov/csrc/media/Publications/sp/800-171/rev-3/draft/documents/sp800-171r3-ipd-faq.pdf
Here is a direct link to the draft document: NIST SP 800-171r3 initial public draft, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
More information can be found at the master NIST site for this draft, including how and where to comment: https://csrc.nist.gov/publications/detail/sp/800-171/rev-3/draft.
Again, no action is required at this time, but if your organization is in this space, it is probably a good idea to familiarize yourself with the proposed changes. F1 will continue to monitor the compliance landscape to stay ahead of the looming changes in the future!
Comments