NIST SP 800-171 R3: An Overview of the Changes
Published 01/09/2024
Originally published by Schellman.
In the latest revision of documents pertinent to the ongoing CMMC countdown, NIST SP 800-171 R3 has been released. Though there were only a handful of changes in this new version, there were some significant ones regarding the assessment practices and their presentation that those monitoring the progress of CMMC should know.
Why these changes? At a high level, NIST endeavors to eventually align the 800-171 model to 800-53, but as the latter framework is notably more involved than the former, to maintain the spirit of 800-171 and the protection of Controlled Unclassified Information (CUI), NIST 800-171 will essentially become a subset overlay to NIST 800-53 (in the future).
That’s why the assessment practices are changing somewhat in this latest revision—in many cases, organization-defined parameters (referred to as “ODP” in the new NIST documentation) are being added to increase flexibility and help organizations better manage risk. Several practices are also being removed or consolidated, while some altogether new practices are being added.
We’re going to break down the changes in NIST SP 800-171 R3 by family. Though more changes will surely come eventually, with this information, you’ll be able to go ahead and get started tailoring your approach.
NIST SP 800-171 R3 Updates
NIST SP 800-171 R3 Practice Family Changes
As it relates to the assessment practices, R3 has added, removed, and consolidated many of the practices from Revision 2. These changes to the assessment practices are summarized by practice family as follows:
Practice Family | Changes |
3.1 Access Control | Consolidated:
Added: 3.1.23 added to address session logout following a period of inactivity—this new practice is essentially an extension of previously existing practice 3.1.11. |
3.4 Configuration Management | Consolidated: 3.4.7 (Prevention of Non-Essential Functionality) into 3.4.6 |
3.5 Identification and Authentication
| Withdrawn:
Consolidated: 3.5.9 and 3.5.10 (Temporary Passwords and Password Encryption) into 3.5.7 Added: 3.5.12 (Authenticator Management) regarding controls for managing authenticators which had previously been covered under other practices. |
3.7 Maintenance
| Withdrawn: 3.7.1 (Performance of System Maintenance) has been reclassified as NCO (or, not directly related to protecting the confidentiality of CUI). Consolidated:
|
3.8 Media Protection | Consolidated:
|
3.10 Physical and Environmental Protection
| Consolidated: 3.10.3, 3.10.4, and 3.10.5 (Facility Access by Visitors) have all been incorporated into a new practice, 3.10.7 for Physical Access Control. Added: 3.10.8 (Physical Access to Transmission Lines (e.g., network cables and devices, etc.) and Output Devices (e.g. printers, scanners, etc.). |
3.11 Risk Assessment | Consolidated: 3.11.3 (Vulnerability Remediation) into 3.11.2Added:3.11.4 (Response from Risk Assessments) |
3.12 – Security Assessment | Consolidated: 3.12.4 (Creation and Management of the System Security Plan) into 3.15.2Added:
|
3.13 System and Communications Protection | Consolidated:
Withdrawn: 3.13.14 (Control of VoIP Technologies), as it represents a technology-specific practice. Added:
|
3.14 System and Information Integrity | Consolidated:
Added: 3.14.8: Addresses the control of spam or unsolicited email messages. |
New Families in NIST SP 800-171 R3
Aside from these changes, some entirely new practice families were also added to ensure a more comprehensive assessment, changing the total number of families to be assessed from 14 to 17.Those three new families are:
- 3.15 – Planning
- 3.16 – System and Services Acquisition
- 3.17 – Supply Chain Risk Management
New Practice Family | Includes: |
3.15 Planning |
|
3.16 System and Services Acquisition |
|
3.17 Supply Chain Risk Management |
|
Though R3 essentially retains all of the practices from Revision 2, because redundant practices have been removed and related practices are being consolidated into single practices as distinct assessment objectives—together with the families and practices that are being added—the overall scope of a R3 assessment will increase relative to Revision 2. R3 still has a total of 110 practices with which an organization subject to NIST 800-171 must comply.
What to Expect From NIST SP 800-171 Moving Forward
Up-to-date information concerning developments in NIST SP 800-171 R3 is available at the NIST website, along with other resources that provide further detail concerning the changes that are taking place, including tools to help organizations assess the impact of Release 3 on their compliance initiatives.
Make sure to check out our other in-depth content that can help you get ready for CMMC:
Related Articles:
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
5 Big Cybersecurity Laws You Need to Know About Ahead of 2025
Published: 11/20/2024
Managing AI Risk: Three Essential Frameworks to Secure Your AI Systems
Published: 11/19/2024
9 Tips to Simplify and Improve Unstructured Data Security
Published: 11/18/2024