The day has finally come for the release of the final public draft of NIST SP 800-171 revision 3. On initial review, some may say, “yeah, the controls have been reduced and there are now only 95”. Sorry to be the bearer of bad news but most of the withdrawn controls have been incorporated into other controls. Instead of 110 controls you now have 95, but instead of 320 determination statements you now have a whopping increase of 445 under the companion NIST SP 800-171a revision 3 draft that was released at the same time.
We can write a whole series around the changes that were made, but for now we’re going to stay focused on the new requirements that were added in and what that will mean once NIST SP 800-171 goes final. Under the 95 controls in revision 3 there are 17 new additions to control requirements.
Configuration Management – 3 new controls
- 3.4.1 – System Inventory – Requires that you develop and document your inventory of system components along with reviewing them annually and making continuous updates as components are added, removed, or updated.
- 3.4.11 – Information Location – Requires that you identify and document the location of CUI, users with access to CUI, and system component on which CUI is processed and stored in addition to documenting any changes as they occur.
- 3.4.12 – System and Component Configuration for High-Risk Areas – Requires that you address with an Organizationally Defined Parameter (ODP) how you configure systems or component for individuals that are traveling to high-risk locations and what the security requirement are for the system or system components when the individual returns from travel.
Identification and Authentication – 1 new control
- 3.5.12 – Authenticator Management – The requirement puts a little more emphasis on authenticator management around procedures and requirements for periodic authenticator refresh or changes based on ODPs.
Incident Response – 1 new control
- 3.6.4 – Incident Response Training -This requires that those involved in incident response are appropriately trained within an ODP time frame when being assigned the role long with periodic refresh training that is updated periodically based on the organization ODP.
Physical Protection – 2 new controls
- 3.10.7 – Physical Access Control – This control enhances 3.10.1 and 3.10.2 by calling out ingress/egress requirements at physical locations in addition to audit logs and physical access device management.
- 3.10.8 – Access Control for Transmission and Output Devices – This requirement gets into the areas of output devices (e.g. – printers, scanners, audio devices, copiers, etc.) and sets parameters around controlling the physical access to system distribution and transmission lines in organizational facilities from unauthorized access to CUI.
Security Assessment – 1 new control
- 3.12.5 – Information Exchange – This control requires that review and management of service agreements between a company and their provider for any service that may touch CUI data and requires the agreements to be reviewed periodically.
System and Information Integrity – 1 new control
- 3.14.8 – Information Management and Retention – This is going to be one of those requirements where an organization is going to need to pay attention to their contracts and request clarification on CUI retention once a contract is completed. The requirement calls out for the management of CUI on nonfederal systems and means to limit the length of time CUI will reside on those systems to reduce the risk of exposure.
Planning (New control family) – 2 new controls
- 3.15.1 – Policy and Procedures – The requirement pulls from all the policy and procedure requirements previously in the tailoring criteria in revision 2 and calls out that policies must cover each family of requirements.
- 3.15.3 – Rules of Behavior – The requirement pulls from all the policy and procedure requirements previously in the tailoring criteria in revision 2 and calls out that all staff with access to CUI systems must be provided and acknowledge the rules of behavior in interaction with the system and that the rules of behavior are reviewed periodically.
System and Services Acquisition (New control family) – 3 new controls
- 3.16.1 – Acquisition Process – The requirement calls out the need to include security requirements in acquisition contracts for systems, components, or system services based on organizationally defined ODPs.
- 3.16.2 – Unsupported System Components – The requirement calls out the need to replace unsupported system components or to provide risk mitigation for the continued use of unsupported system components.
- 3.16.3 – External System Services – The requirement is formalizing and enforcing the process of vendor risk management that deals with any vendor service or product that processes, stores, or transmits CUI data. In addition, it requires that an individual on staff is assigned responsibility for oversight and monitoring of ongoing security compliance requirement of vendors is handled on an ongoing basis.
Supply Chain Risk Management Plan (New control family) – 3 new controls
- 3.17.1 – Supply Chain Risk Management Plan – The requirement is to create, update, maintain, and protect a supply chain risk management plan. The plan is around the managing of supply chain risks associated with the system, system components, or system services.
- 3.17.2 – Acquisition Strategies, Tools, and Methods – The requirement is around mitigating procurement risk from your supply chain through the implementation of tools and techniques (e.g., Tamperproof packaging) to minimize the potential for counterfeit or tainted products making its way into your system.
- 3.17.3 – Supply Chain Requirements and Processes – The requirement goes into creating a procedure for identifying weaknesses in your supply chain and enforcement mechanisms based on ODPs.
Although it will take time before revision 3 is in effect, it is still a good strategy to create some long-term plans and strategies for the future. One item to keep in mind when planning is that anything that is ‘periodically’ defined with an ODP will be defined for you under CMMC once in effect at a minimum of annually if it hasn’t already been defined in your contracts.
If you would like to learn more about the latest NIST requirements or your path to CMMC compliance, click here.
