NIST SP 800-171 Rev 2 vs Rev 3: What’s The Difference? – Source: securityboulevard.com

Government cybersecurity and information security frameworks are a constant work in progress. Many different frameworks draw their requirements from the National Institute of Standards and Technology, and one of the most important documents for cybersecurity is NIST Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

One of the key pillars of government security frameworks is the ability for these core documents to be updated and iterated upon. NIST SP 800-171 is no different; it is currently on Revision 3. Rev 3 was published in May of 2024, and brings with it many changes, along with many questions. So, what has changed, and what version should you be using?

Following Along at Home

First, in brief, if you want to compare the documents yourself, NIST maintains both the live version of the latest revision and past revisions, along with key information about them.

You can find them here:

• NIST SP 800-171 Revision 2
• NIST SP 800-171 Revision 3

Additionally, NIST provides a spreadsheet that outlines the changes between revision 2 and revision 3, which you can find here (XLSX link).

The Short Version

Before digging into the details, we can give a brief overview of what has changed in terms of broad category and scope.

Here’s what you should know:

• 18 security controls were not changed at all, or were not changed in any significant way. They may have been slightly rephrased or had word choices changed, but these changes don’t impact the security control at all.
• 15 security controls have had some minor changes. These are often editorial changes and can influence the level of detail or the outcome of the control’s requirements.
• 46 security controls have had a significant change. These changes can be additional details in the requirements, more comprehensive details on requirements, and information on foundational tasks for the requirement.
• 19 security controls are brand new for NIST SP 800-171 Revision 3, and were not present in revision 2. These may address new and emergency technologies, or may be a new synthesis of multiple previous controls.
• 33 security controls have been withdrawn. These were generally either contradictory, confusing, outdated, or overlapped with other security controls.
• 49 new organization-defined parameters have been added.

To give a couple of examples:

Under the family Access Control, the control numbered 3.1.19, which was the requirement to encrypt CUI on mobile devices and mobile computing platforms, has been withdrawn. This is because that requirement has now been added to 03.01.18, Access Control for Mobile Devices, which has expanded to encompass the withdrawn requirement.

Another example is under the control family Audit and Accountability. The control 3.3.1, about auditing logs, has been changed.

Revision 2:

“Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.”

Revision 3:

“a. Specify the following event types selected for logging within the system: [Assignment: organization-defined event types].

1. Review and update the event types selected for logging [Assignment: organization-defined frequency].”

Change Analysis:

“New security requirement title

Aligned with SP 800-53, Rev 5 to provide more comprehensive detail on and foundational tasks for event logging

Added new ODP: events types to log

Added new ODP: frequency to review and update event types selected for logging.”

This should give you an idea of what kinds of information is available in the change analysis document linked above.

For the rest of this post, we’ll talk more in terms of theory, overall purpose, and practicality, rather than simply copy-and-pasting the whole of the change log and calling it a day. If you want the specific data, it’s right here.

Analyzing the Changes from Revision 2 to Revision 3

Now let’s talk a bit about the changes in a general, overall sense. What can you expect from the new revision?

There Are Fewer Security Controls… Sort Of

NIST SP 800-171 revision 2 has 110 security controls and requirements. Revision 3 has only 97 security requirements.

On paper, this is a 12% decrease in the number of security requirements you need to go through, when you perform an assessment, an audit, or a review.

This is, however, somewhat misleading. Part of the overall purpose of revision 3 was to re-evaluate controls from the originating, larger publication, NIST SP 800-53. NIST decided that SP 800-171 would want to encompass around 156 controls from SP 800-53.

If 156 controls are represented in 97 requirements, where do the 59 excess controls go? For the most part, they’re merged and aggregated. Sometimes, one single security control encompasses nearly an entire scope of technology or device type, which would normally be divided into several distinct controls in SP 800-53.

So, while Revision 3 may seem smaller, it’s no less complex. Sometimes, one single security requirement can feel like half a dozen merged because it actually is just that.

Withdrawn Requirements Aren’t Gone

This is similar to the previous point. While NIST SP 800-171 Revision 3 withdraws 33 security requirements from the document, almost every one of them is simply merged with another existing control. Those requirements aren’t gone; they just moved.

You generally still have all of the same requirements, just under different names. Our example above of the mobile encryption and mobile access control requirements is a good one to illustrate the point.

Reporting Requirements are Steeper

In order for a security requirement outlined in NIST SP 800-171 to be considered implemented, you need to be able to issue a determination statement for it. However, that’s not quite true; often, one control will have several individual determination statements for different aspects of it.

SP 800-171 revision 2 had 110 requirements, but a total of 320 determination statements would need to be made to consider it fully implemented.

SP 800-171 revision 3 bumps that number up to 422 determination statements. That’s a 32% increase in the number of individual items of proof that are needed for a full implementation.

This isn’t as much of a burden as it might sound. For the most part, this increase is explained by previous, more general statements being broken down into smaller, more individually tangible statements.

Organizationally-Defined Parameters Are Important

In NIST SP 800-171 Revision 2, security requirements are generally fixed. However, they were often frustratingly nonspecific.

For example, in revision 2, a control said, “limit unsuccessful long-on attempts.” But it does not specify what that limit should be. Do you cut off after three unsuccessful log-on attempts per hour? Five per day? All revision 2 specified is that a limit needs to be in place, but not what that limit is.

Revision 3 attempts to correct this by adding organizational determination to the mix. The new version of that control now says, “enforce a limit of [organizationally defined] unsuccessful long-on attempts during [organizationally defined] time periods and take [organizationally defined] actions after the maximum attempts have been made.”

This one control now has three ODPs. These ODPs allow an organization to specify how many unsuccessful attempts can be made before a lock-out, how long the time period is before that lock-out, and what actions are taken (such as the lock-out itself.) This is basically putting business policy on paper in a way that is enforceable and organization-wide. Critically, it means organizations don’t all have to have identical policies. They must have a policy, but two different organizations don’t need the same details.

ODPs are new to revision 3, and they allow for a lot of customization and flexibility in implementation. However, they must be specified, and that’s another set of details that need to be tracked and submitted. There are a total of 88 of these throughout Revision 3. Adding onto the 422 determination statements and that means there are 510 items that must be submitted for 800-171 compliance under revision 3.

There Are Three New Control Families

We’ve already talked about how there are fewer overall controls, but we haven’t mentioned the number of control families that exist in SP 80-171 revision 3. There are three new control families, for a total of 17, as opposed to revision 2’s 14 families.

The three new families are:

• Planning, which encompasses Policy and Procedures, and Rules of Behavior
• System and Services Acquisition, which encompasses Unsupported System Components and External System Services
• Supply Chain Risk Management, which encompasses Supply Chain Risk Management Plans, Acquisition Strategies, Tools, and Methods, and Supply chain Requirements and Processes

If these sound familiar, it’s because some of them already existed in revision 2 under different families. They’ve been spun off into their own families and expanded. Only the Supply Chain Risk Management family is truly new as a response to modern supply chain attacks like Solarwinds.

More Clarity on Previously Assumed Controls

One of the hazards of revision 2 was NFOs, or NonFederal Organization controls. These were controls from SP 800-53 that were not specifically included in SP 800-171 but were assumed to be required due to other frameworks.

A common cause of failure, especially for CMMC, was organizations that adhered to SP 800-171 but didn’t know or document their adherence to the NFO controls. This has been the cause of many failed audits and delayed certification for many organizations.

With revision 3, NFO controls are gone. Anything that is required is stated in the controls, and if it’s not in the controls, it’s not required – at least under frameworks that use SP 800-171. Other, stricter frameworks will have other sources of controls, of course.

This is good news for federal contractors working on compliance with CMMC. It makes CMMC generally easier and clearer to implement.

Which Version of NIST SP 800-171 Should You Use for CMMC?

CMMC is poised to be the most impactful change to federal cybersecurity in the coming years. The newest revision’s final rule is now in effect, and the clock is ticking to implement it.

The question then becomes: which version of NIST SP 800-171 do you use when you’re seeking to comply with CMMC requirements?

For now, there’s good news, and there’s bad news.

The good news is, if you’ve been working on implementing the controls in NIST SP 800-171 revision 2, you can carry on.

The bad news is that if you’ve been working on proactively implementing the requirements in NIST SP 800-171 revision 3, you may be jumping the gun. That said, if you’re not seeking CMMC compliance and are just complying with the SP 800-171 framework, revision 3 is the way to go for the most updated compliance.

In part, what you use depends on the implementation level of CMMC you’re pursuing.

• Level 1 is a pared-down set of rules that equate to good cyber-hygiene.
• Level 2 is the full set of controls laid out in NIST SP 800-171 revision 2.
• Level 3 is level 2 with the addition of the controls in NIST SP 800-173.

As of the most recent Final Rule for CMMC 2.0, the requirements are derived from NIST SP 800-171 revision 2. To quote the final rule directly: “NIST SP 800-171 Revision 3 is not currently applicable to this rule.”

This will very likely be changed in the future, but the timeline for when that might happen is unclear. Fortunately, significant changes like that often have a 2-3-year onramp, so when it is changed, you will have time to implement the new version before your next reassessment.

If you’re willing to double-document across two different standards, you can potentially implement everything from both revision 2 and revision 3, though there may be the occasional inconsistency or conflict. In those cases, you would want to preferentially implement revision 2’s standards until such time as the CMMC rule changes.

Whatever your compliance needs, from NIST SP 800-171 revision 2 or 3, to CMMC, to FedRAMP, HIPAA, DFARS, ITAR, or anything else, we’re here to help. The Ignyte Assurance Platform was designed as a non-siloed, centralized, collaborative repository for compliance documentation and reports. Whatever your needs, our experts know how to help you, and our platform is designed to make it easy. All you need to do to get started is book a demo!

*** This is a Security Bloggers Network syndicated blog from Ignyte authored by Max Aulakh. Read the original post at: https://www.ignyteplatform.com/blog/nist/nist-sp-800-171/