May 15, 2023
Breaking News: NIST 800-171r3 released
Last week was a Really Big Week! On Monday, I passed the Certified CMMC Assessor exam, hooray! Tuesday, I received my "suitability" clearance from the DoD (required to serve on CMMC assessment teams). Wednesday, NIST released the initial public draft of Revision 3 ("R3") of its SP 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations" (as you know, the security standard controlling how we protect CUI).
R3 is a complete re-write of R2, basically going back to the roots of the SP 800-53 moderate baseline from whence it came. I'll be going into detail on some of the changes in future newsletters, but here's a brief summary of the most striking changes IMO.
GOOD NEWS: Most people seem to agree that this version is easier to read and follow. It's much more specific than the previous version, eliminating some of the ambiguity.
BAD NEWS: It's bigger. R3 adds three new families of controls (known as "domains" in CMMC):
- Planning Remember all those Policy & Procedure documents that were in CMMC 1.0, then were taken out of CMMC 2.0, but they were still "NFO Controls" in 800-171r2? Well, they are now actual controls in R3.
- System and Services Acquisition Some older controls were moved here, some are new.
- Supply Chain Risk Management All new.
A handful of controls were dropped entirely, while two dozen new ones appeared. Another two dozen were changed from stand-alone to "bundles" with other controls. There are now ~270 individual requirements in R3. We won't know how many Assessment Objectives (AOs) until NIST updates the assessment guide (800-171A) but we expect the number to increase commensurate with the increase in requirements (I've seen estimates of 550-ish).
What does this mean for you?
I would say there are two important considerations now for any organization that handles CUI:
- Remember that DFARS 7012 states that "the covered contractor information system shall be subject to the security requirements in [NIST SP 800-171] in effect at the time the solicitation is issued." This means that when R3 becomes final (expected early 2024), it will immediately be in effect for any new contract solicitations. You should be making plans for this. At a minimum, read R3 and start thinking about any changes you will need to make to your current CUI management program.
- Once R3 becomes final, DoD will likely update the CMMC Model to reflect the changes, and update the training for CCPs and CCAs. I'm guessing this will take another year or so. This means that contractors who are assessed under CMMC 2.0 will be assessed on fewer requirements than those who wait, and have to be assessed under CMMC 3.0 (or however they number it).
I've said it before and I'll say it again: The Time To Prepare Is Now.
Need more help? You know where to find me!