Book a Demo Product Tour
Book a Demo Product Tour
Written by: on

Understanding Recent Changes to NIST 800-171

Read Time: 4 Minutes

Topics:

Table Of Contents

    In the evolving landscape of cybersecurity threats, it's important to stay up to date with security standards, controls, procedures, and policies for handling internal and customer data. One of the key standards in this area is NIST Special Publication 800-171. Recently, significant updates have been made to NIST 800-171 to strengthen the security measures and adapt to the new challenges in the cyber world. 

    In this article, we'll delve into these changes, explain their implications, and propose strategies for how organizations can align with them.

    Background of NIST 800-171

    Before discussing the changes, it's important to review the context and purpose of NIST 800-171. Developed by the National Institute of Standards and Technology (NIST), this publication provides guidelines on protecting the confidentiality of data. It outlines cybersecurity requirements for non-federal systems and organizations, making it a critical standard for federal contractors and other entities that work directly with the federal government. 

    Additionally, this standard forms the basis for Cybersecurity Maturity Model Certification (CMMC). The purpose of the CMMC is to verify that the information systems used by the contractors of the United States Department of Defense (DoD) to process, transmit, or store sensitive data are compliant with the mandatory information security requirements outlined by the DoD. The goal is to ensure appropriate protection of controlled unclassified information (CUI) and federal contract information (FCI) stored and processed by a partner or vendor.  

    While the standard for CMMC remains NIST 800-171 Rev 2, this latest draft (800-171 Rev 3) will become the standard at some point in the future. It's important to be aware of the significant changes that will be introduced to compliance programs resulting from the adoption of 800-171 Rev 3.  

    What’s new in the updated NIST 800-171?

    The latest revision of NIST 800-171 includes several changes that focus on enhanced security controls and clarity in implementation. Here are some of the key updates:

    1. Increased clarity and guidance: The updated document provides clearer guidance to help organizations understand and implement the security requirements more effectively. This includes more detailed explanations of the requirements and additional examples of how to apply the controls in different scenarios.

    2. Enhanced security requirements: Several new requirements have been added to address emerging security threats and vulnerabilities. This includes measures related to mobile device management, cloud services, and enhanced user authentication. By expanding the scope of protection, the NIST aims to fortify the security framework against more sophisticated cyber threats. In the updated revision, three new families:  Planning, System and Service Acquisition, and Supply Chain Risk Management, have been integrated.

    3. Assessment objectives: The revision introduces specific assessment objectives for each security requirement. These objectives provide organizations with clear goals for what must be achieved to meet each requirement, thereby simplifying the compliance and evaluation process.

    4. Tailoring options: Recognizing the diverse nature of organizations handling CUI, the updated NIST 800-171 includes provisions for tailoring the requirements. Organizations can now adjust certain requirements based on specific conditions or the sensitivity of the CUI they handle, provided they do not compromise the security of the CUI.

    5. Incident response enhancements: Enhanced guidelines for incident response aim to ensure that organizations can effectively identify, respond to, and recover from security incidents. The updated guidelines emphasize the importance of having a robust incident response plan that is regularly tested and updated.

    Implications for organizations

    The updates to NIST 800-171 have several implications for organizations that handle CUI, including:

    • A system security plan: This is a formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements. The system security plan will need to cover all 95 of the controls in NIST 800-171.

    • Stricter compliance requirements: With the introduction of new security controls and enhanced guidelines, organizations may need to invest more in their cybersecurity infrastructure and processes to meet the updated standards.

    • Regular training and awareness: As the standard now includes more detailed requirements around user authentication and mobile device management, ongoing training for employees on the latest security practices becomes even more critical.

    • Rigorous audits: The clear assessment objectives included in the new revision lead to more rigorous audits. Organizations should be prepared for comprehensive evaluations of their compliance with the updated NIST 800-171.

    Steps to comply with the updated NIST 800-171

    Compliance with NIST 800-171 requires a well-structured approach. Here are some steps organizations can take:

    1. Conduct a gap analysis: Review current security practices against the updated NIST 800-171 to identify areas where changes are needed.

    2. Develop an implementation plan: Based on the gap analysis, develop a detailed plan to address deficiencies. Prioritize actions based on risk assessments.

    3. Implement required controls: All assessment objectives must be reviewed as part of the audit. Update security policies, processes, and tools as needed to meet the new requirements. Ensure all changes are well-documented.

    4. Train employees: CMMC audits will include a more robust validation of the employee training program. The increased oversight is specifically focused on training quality, topic coverage, and regularity or frequency of training.  

    5. Regularly review and update security practices: Continuous monitoring and periodic reviews are essential to ensure ongoing compliance and address any newly identified vulnerabilities or threats.

    Conclusion

    The updates to NIST 800-171 are extensive. While the number of controls has decreased from 110 to 95, all the assessment objectives must be met in order to satisfy the controls. This is a substantial increase in coverage — and likely in effort — by the organization under compliance.  

    The changes to NIST 800-171 are meant to implement a proactive approach to addressing the dynamic challenges in cybersecurity. Compliance with the new standard will require understanding these changes and strategically implementing the required controls. This will require support from the top of the organization, as many of these changes require a significant investment of money and resources.