In response to the constantly evolving landscape of cybersecurity threats, the National Institute of Standards and Technology (NIST) has recently updated their guidelines for Special Publication NIST 800-171, making its guidance more prescriptive, and potentially making it harder for contractors to comply. NIST 800-171 is a set of guidelines created to help federal agencies and contractors protect Controlled Unclassified Information (CUI).

The draft proposal would significantly change the guidelines included in SP 800-171, keeping the 110 security controls in total, but removing or consolidating some older requirements while adding certain new requirements and providing additional explanations and details for many existing controls. While Revision 3 appreciably improves the details of many individual requirements,  those additional details will make compliance much harder for smaller and medium-sized enterprises, many of which have not even met Revision 2. We discuss the significant updates below.

Expanded scope

One of the most significant changes in the revised NIST guidelines is an expanded scope. The new guidelines apply to all nonfederal entities that handle CUI, including contractors, subcontractors, and other third-party service providers. This change is in response to the increasing number of data breaches caused by third-party vendors and contractors. It emphasizes the importance of secure data handling and management by all parties involved.

More emphasis on supply chain risk management

The revised NIST guidelines place greater emphasis on supply chain risk management. The new requirements would mandate that organizations establish a third-party risk management program that:

  1. Requires external service providers to adhere to organizational security requirements
  2. Establishes a monitoring function to assess external service provider compliance with organizational security requirements
  3. Establishes requirements for development or acquisition of new system components
  4. Uses acquisition strategies or contractual tools to mitigate supply-chain risks
  5. Maintains a process for ongoing identification of supply chain weaknesses or deficiencies

CUI data inventory

The new guidelines would mandate that the specific location of CUI is clearly identified and documented. Organizations should maintain an inventory of system locations where CUI is processed or stored, and the user groupings with access to those locations will need to be clearly identified.

Policies and procedures

While already a requirement for most NIST guidelines, the proposed changes would formalize requirements for organizations to periodically review, approve, and disseminate cybersecurity policies and procedures.

Independent assessment

Similar to other prevalent technology frameworks, including ISO 27001 and SOX 404(a), the revised guidelines include a new requirement for an independent assessment function, such as internal audits. Organizations would need to use independent resources to periodically assess control implementation, however no required cadence for the independent assessments is defined.

Use of multi-factor authentication

The revised NIST guidelines recommend the use of multi-factor authentication (MFA) to improve security for access to all system accounts.

Unsupported system components

As threat actors frequently exploit vulnerabilities contained in system components that may be end-of-life or otherwise unsupported by the developer or manufacturer with security patches, the new revision would require that these unsupported components be replaced or otherwise mitigated through extended support agreements or in-house developed solutions.

Our take

NIST said it expects to issue at least one more draft ahead of a final version of Revision 3 due in early 2024, and while it will likely take some time before the new requirements are incorporated into related regulations and contracts, we expect that most of these updates will ultimately find their way into the final version. While the specificity contained in the draft guidelines may be helpful for some contractors, removing the risk-based components may add a frustrating level of complexity for others. Contractors should quickly examine their compliance level with the current version of NIST 800-171 and determine whether seeking third party experts to meet the new draft requirements is prudent.