On May 10, 2023, the National Institute of Standards and Technology (NIST) released a draft version of Revision 3 for Special Publication (SP) 800-171, the foundational framework of requirements for protecting controlled unclassified information (CUI). NIST is seeking public comments on the proposed modifications and additions through July 14, 2023. The new revision is still in draft form, so final requirements could look different. It also is unclear when the final version of the document will be released and how it will be adopted.
While still in draft form, the changes introduced will require organizations to consider how their CUI protection programs need to be modified. Organizations that maintain contracts with U.S. Department of Defense or may be preparing for Cybersecurity Maturity Model Certification (CMMC) compliance will need to consider incorporating these new requirements into their CUI protection and cybersecurity programs.
The CMMC Advisory team at FORVIS has conducted an early analysis of the new revision and has prepared perspective for some of the key changes, including the addition or modification of security requirements that may be of most interest or require immediate attention.
Top Five Requirement Modifications
It’s clear that one of NIST’s primary objectives with the revision was to enhance consistency between SP 800-171 and the more expansive SP 800-53 Rev. 5. As such, 49 controls were identified as containing “Significant Changes” per NIST’s published analysis. Below are the top five changes we believe may most affect organizations subject to SP 800-171 compliance.
3.13.11 Cryptography: The requirement to protect CUI using only FIPS-validated cryptography received the most feedback of any individual requirement during the pre-draft comment period for Revision 3. FIPS-validated encryption can be challenging to implement, and many organizations have struggled with understanding how best to meet the requirement.
In alignment with received feedback, NIST has introduced SP 800-53 Rev. 5 controls. Planned updates include allowing organizations to define the level of cryptography required for protection of CUI, with organizationally defined parameters (ODPs) based upon the organization’s own assessment of risk. Organizations would not be required to use FIPS-validated system components but would instead be permitted to implement self-defined encryption solutions.
3.4.8 Authorized Software: Under existing SP 800-171 requirements, organizations may choose to limit permitted software through allow-by-exception or deny-by-exception configurations. The planned changes would be more restrictive in requiring a deny-all, allow-by-exception policy. Organizations would be required to maintain approved software libraries and enforce a process for approving software that has not been explicitly approved for use.
3.1.5 & 3.10.1 Entitlement Review Process: While a review of user access may be an existing component of many cybersecurity programs, the planned changes explicitly require this process to be performed for logical and physical access to organizationally defined system components. FORVIS recommends organizations create and retain adequate evidence to demonstrate these reviews occurred at organizationally defined intervals.
3.4.2 Baseline Configurations & Exception Handling: Requirements around the establishment of security configuration baselines for system components will be enhanced with requirements for ongoing system configuration monitoring. In addition, planned control modifications would require that deviations from documented configuration standards be clearly documented and approved, typically performed through an exception handling process.
3.5.3 Multi-Factor Authentication (MFA): In alignment with NIST SP 800-53 Rev. 5, the planned updates would require MFA for access to all system accounts. While practical implementation of this change does not represent a significant departure from existing requirements, the change is worth highlighting, pending additional guidance and interpretation. We believe this change is intended to simplify and strengthen one of the most critical security control requirements.
Top Five New Requirement Areas
- Supply Chain Risk Management is an area of emphasis in newly introduced requirements. At least five of the 26 proposed control additions are supply chain oriented. The new requirements would mandate that organizations establish a third-party risk management program that:
- Requires external service providers to adhere to organizational security requirements
- Establishes a monitoring function to assess external service provider compliance with organizational security requirements
- Establishes requirements for development or acquisition of new system components
- Uses acquisition strategies or contractual tools to mitigate supply-chain risks
- Maintains a process for ongoing identification of supply chain weaknesses or deficiencies
- Information Location: Sometimes referred to as a “data inventory,” the specific location of CUI will need to be clearly identified and documented. Organizations should maintain an inventory of system locations where CUI is processed or stored, and the user groupings with access to those locations will need to be clearly identified.
- Policies & Procedures: Already an existing backbone of a strong cybersecurity program, the proposed changes would formalize requirements for organizations to periodically review, approve, and disseminate cybersecurity policies and procedures.
- Independent Assessment: Similar to other predominant technology frameworks, including ISO 27001 and SOX 404(a), a requirement for an independent assessment function, such as internal audits, is planned to be incorporated as a part of NIST SP 800-171 Rev. 3. Organizations would need to use independent resources to periodically assess control implementation. However, unlike other frameworks, no required cadence for the independent assessments is defined.
- Unsupported System Components: System components that may be end-of-life or otherwise unsupported by the developer or manufacturer with security patches increases the risk that a system can be compromised by a malicious actor. The new revision would require that these unsupported components be replaced or otherwise mitigated through extended support agreements or in-house developed solutions.
How FORVIS Can Help
Though the requirements are still in draft form, FORVIS recommends organizations that handle CUI assess the new and modified requirements and begin considering how they would incorporate them into their CUI protection programs. As an authorized C3PAO, FORVIS provides readiness assessment and advisory services to help contractors interpret requirements for their unique environments and CUI use case.
If you have any questions or need assistance, please reach out to a professional at FORVIS or use the Contact Us form below.