Last week, the National Institute of Standards and Technology (NIST) published a draft revision of Special Publication (SP) 800-171. SP 800-171r3, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Initial Public Draft” details a series of proposed updates to information security requirements imposed on the Defense Industrial Base (DIB) by the federal government. These updates are currently open for public feedback until July 14, 2024. They have not been finalized, so don’t panic. Yet. What does this mean for DoD contractors? Consider settling down this weekend with a nice scotch to review the FAQ that accompanied the draft publication and get the full story. In the meantime, DCG has identified 3 key considerations to help you get the gist.
1. Additional Specifications
NIST SP 800-171r2 included 110 security controls (which are best understood as directives or requirements). Technically, 800-171r3 also has 110 controls. This is misleading for four reasons.
First, 27 controls from r2 were labeled as being “withdrawn” in r3. However, withdrawn controls were actually collapsed into other requirements, and so cannot be dismissed by Organizations Seeking Certification (OSCs). For example, r2’s control 3.1.19, “Encrypt CUI on mobile devices and mobile computing platforms,” was incorporated into r3’s 3.1.18, “Access Control for Mobile Devices.”
Second, existing controls have been systematically redrafted to detail trackable components. This means that, while the number of controls may not have changed, the number of distinct action items has increased. For example, in r2, control 3.1.1 requires OSCs to: “Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).” In r3, it requires them to:
a. Define and document the types of system accounts allowed and prohibited. b. Create, enable, modify, disable, and remove accounts in accordance with [Assignment:organization-defined policy, procedures, prerequisites, and criteria]. c. Specify authorized users of the system, group and role membership, and access authorizations (i.e., privileges). d. Authorize access to the system based on a valid access authorization and intended system usage. e. Monitor the use of accounts. f. Disable accounts of individuals within [Assignment: organization-defined time period] when the accounts: 1. Have expired; 2. Are no longer associated with a user or individual; 3. Are in violation of organizational policy; or 4. Have been inactive for [Assignment: organization-defined time period]. g. Disable accounts of individuals within [Assignment: organization-defined time period] of discovery of [Assignment: organization-defined significant risks]. h. Notify [Assignment: organization-defined personnel or roles] within [Assignment:organization-defined time period]: 1. When accounts are no longer required; 2. When users are terminated or transferred.
Third, 27 new controls were added to the list, which is why the “110” number remained stable. But make no mistake: wholly new requirements have been introduced. In fact, entirely new control families, called domains, have been proposed, like “Supply Chain Risk Management” and “Planning.”
Fourth and finally, it is important to note that only the list of controls has been updated. Each control is associated with a list of assessment objectives (AOs), and scoring compliance against AOs creates a much more accurate picture of an organization's compliance posture than scoring against controls. AOs associated with new controls will not be outlined until SP 800-171A r3, “Assessing Security Requirements for Controlled Unclassified Information,” is published next year. Based on the way assessment objectives have been mapped in relation to controls in the past, the number of new components that will require tracking is likely to exceed 120 items.
2. Organizationally Defined Parameters (ODPs)
Organizationally Defined Parameters, also called Organizationally Defined Variables (ODVs), have their basis in NIST SP 800-53r5. Essentially, they provide wiggle-room for OSCs and contracting organizations to select the mechanisms to satisfy controls which work best for a given contract. The FAQ that accompanied r3’s publication states: “Once ODPs have been defined, they become part of the security requirement and can be assessed as such…Federal agencies can elect to specify ODPs, provide guidance on selecting ODPs for nonfederal agencies, or allow nonfederal agencies to self-select ODP values.”
One example of an ODP you should pay attention to is control 3.13.11. In r2, 3.13.11 required OSCs to implement FIPS validated encryption to protect CUI. However, r3 considers the method of cryptographic protection an ODP; the contracting organization, the OSC, or a combination thereof will determine whether FIPS or another method is most appropriate for the project at hand.
3. SP 800-171A, “Assessing Security Requirements for Controlled Unclassified Information”
The final consideration we will detail here is the publication date of SP 800-171A. Updates to 171A will not become publicly available until after the r3 Initial Draft is finalized. As discussed above, the new 171A is certain to include the introduction of dozens, if not hundreds of new assessment objectives.
It is also important to note that contracts acquired before January of 2024 will be assessed according to 171A r2. This means that many organizations will likely be required to uphold both versions of the standard concurrently, in order to appropriately handle contracts signed before 2024. FIPS will be required of Level 3 contracts signed before December 31st of 2023, but not after. The Supply Chain Risk Management domain will not be required of contracts signed before January 1st of 2024. Et cetera. This promises to present unique challenges across the DIB, and therefore is important to begin thinking about now.
Ultimately, there is a lot of new information to parse through here. Careful review of r3’s accompanying FAQ is highly recommended. And as always, if you have any pressing questions about how the new document might impact your organization, we are available for expert consultation.