November 13, 2023
The latest on NIST SP 800-171r3
Last week saw the release of NIST SP 800-171 Rev 3 Final Public Draft and the NIST SP 800-171A Rev 3 Initial Public Draft. NIST is accepting (thoughtful, relevant, actionable) comments on both documents until January 12, 2024 (via email to 800-171comments@list.nist.gov). The final versions (which will take effect) of both documents is expected in the spring. Following are my initial "hot takes" on the two documents:
The numbers There are a few, but not many, changes in 171r3 from the initial public draft in July to the current final draft. The most confusing part IMO is "how many controls are there now?" I've seen counts by several people that fall generally in line with these:
Total number of controls in R3: 95 (there are 110 in R2)
Total number of assessment objectives in R3: ~440 (there are 320 in R2)
How is it there are more AOs with apparently fewer controls? Because for most of the ~33 controls marked "withdrawn" from R2 to R3, it's only the ID of the control that was withdrawn. The content of the control was moved to a subpart of an existing control, or recategorized -- so it didn't go away.
New controls in R3: 18 controls, including three new families of controls (Planning, System and Services Acquisition, and Supply Chain Risk Management)
Level of effort Most people agree that R3 represents about 30% more effort than R2. Three reasons for this:
- More families of controls, new controls added
- NFO controls moved from Appendix E to actual requirements
- True maturity is expected in R3
What does that last one mean? Well, in addition to the documentation requirements, many of the controls and AOs in R3 assume you are already doing other things. For example, 3.7.1 "Perform maintenance on organizational systems" was recategorized as NCO (NCO = "not directly related to protecting the confidentiality of CUI") but if you aren't actually performing maintenance, you will have a hard time executing the remaining controls in the Maintenance family. And you will need to demonstrate that you are performing maintenance as an underlying requirement for other controls.
Update your documentation Much of your existing documentation will need to be updated from R2 to R3 for existing controls (as well as new ones). For example, 3.1.14 and 3.1.15 were incorporated into 3.1.12 and are now numbered 03.01.12.c and 03.01.12.d, respectively. Some controls were moved to a different family, so if your policies are based on families, you'll have adjustments to make there. Finally, the overall documentation requirements are more in number and specificity.
Next steps What place should R3 have in your current security program? You need to be aware of upcoming changes in requirements, so that you can take them into consideration when making any changes to your system.
Need help? You know where to find me!
Sincerely,Glenda R. Snodgrass, CCP/CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107
If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!