NIST released an initial discussion draft of the next version of its iconic Special Publication 800-171. Referred to as Revision 3, or Rev. 3, the new version of SP 800-171 includes significant changes from Revision 2, or Rev. 2. These include the merging of several requirements, the addition of new requirements, and the clarification of many of the requirements. The chart below, prepared by Cybersec Investments and reproduced below with authorization, highlights five key takeaways from this initial discussion draft.
NIST is soliciting public comments until July 14, 2023. They will then “adjudicate” those comments and expect to release a next discussion draft sometime toward the end of this calendar year. That draft will also be open for public comments for a while as well. The final version of NIST SP 800-171 Rev. 3 is expected to be released in early 2024.
Once NIST SP 800-171 Rev. 3 is finalized, NIST’s attention will turn to updating the assessment guide to NIST SP 800-171, referred to as NIST SP 800-171A, to reflect the changes to the framework itself. This process could take several additional months. Thus, we most likely will not see fully revised and finalized copies of Rev. 3 of NIST SP 800-171 and 800-171A until this time next year at the earliest.
Impact on DoD’s Cyber Initiatives (Including CMMC)
Some have asked whether and how the release of NIST SP 800-171 Rev. 3 is likely to impact the US Department of Defense’s CMMC program and related efforts.
DFARS 252.204-7012(b)(2)(i) requires contractors to comply with the then-current version of NIST SP 800-171 or as authorized by the Contracting Officer. This means that, theoretically, contractors could find themselves needing to comply with NIST SP 800-171 Rev. 3 as soon as the final version is published by NIST.
More than likely, to avoid such a scenario, DoD will issue a guidance memo in the next several months that outlines the agency’s approach to phasing in Rev. 3’s requirements across the defense supply chain. While Contracting Officers may occasionally forget to follow the instructions from such a memorandum, most should be willing to amend any RFI/RFP that does not conform with the guidance in the memorandum. That should help contractors who are currently focusing on complying with NIST SP 800-171 Rev. 2’s requirements to then pivot and address the new requirements in Rev. 3 in a timely and more budget-conscious manner.
With respect to CMMC, while the CMMC requirements (embodied in the CMMC Assessment Guides) are a nearly verbatim copy of NIST SP 800-171 Rev. 2, they currently exist independent from the NIST publication. In addition, the current version of DFARS 252.204-7021‘s requirements are tied to the CMMC requirements. This allows DoD to update the CMMC requirements on its own timeframe, independent from NIST’s updates to NIST SP 800-171.
This is a good news/bad news scenario for contractors. On one hand, it allows DoD to wait for NIST to publish the updated version of NIST SP 800-171A before DoD tries to update the CMMC requirements. It also allows contractors additional time to implement all of Rev. 3’s required changes while the changes work their way through the CAICO’s and CyberAB’s CMMC training and assessment programs (respectively).
On the other hand, if DoD contractors are also contractors for other federal agencies and those agencies require contractors to comply with the then-current version of NIST SP 800-171 (i.e., Rev. 3), contractors could find themselves having to comply with both standards. Similarly, if DoD fails to publish a guidance memo to Contracting Officers before NIST SP 800-171 Rev. 3 is finalized, when the CMMC regulations go into effect, those regulations could cause contractors to have to be certified against NIST SP 800-171 Rev. 2’s requirements (in CMMC) while also having to be in compliance with NIST SP 800-171 Rev. 3’s requirements to comply with DFARS 252.204-7012. Fortunately, it appears that complying with Rev. 3’s requirements (at least as they appear in the initial discussion draft) will allow contractors to also comply with Rev. 2’s requirements (i.e., there do not appear to be significant conflicts for those who are in compliance with Rev. 3).
What to do Today
If your organization is in the process of complying with the requirements in NIST SP 800-171 Rev. 2, those efforts should continue. Rev. 3’s changes generally introduce refinements of the requirements in Rev. 2, and thus for the most part your efforts shouldn’t be wasted. There are a few exceptions, such as 3.4.8, where blacklisting of software is acceptable under Rev. 2 but only a whitelisting approach is acceptable under Rev. 3. We therefore recommend familiarizing yourself with the proposed changes and, where feasible, to adopt the more stringent requirements in Rev. 3.