NIST Releases New CUI Security Requirements

The long-awaited NIST 800-171 Revision 3 has been released. What’s new, and what are the implications for CMMC?

If you have Controlled Unclassified Information (CUI) in your environment, you’re probably familiar with NIST 800-171 - the baseline security requirements you are contractually obligated to implement by DFARS 252.204-7012. On May 14, 2024 NIST released NIST 800-171 Revision 3, updated from Revision 2, that defense contractors are now required to meet - and it’s vastly different from the preceding Revision.

“What’s new in Revision 3?”

Change #1: Overall Structure

First and foremost, Revision 3 changed the entire structure of NIST 800-171. Where previously the controls were one sentence statements, the controls are now aligned more closely with NIST 800-53 Revision 5, the control framework that forms the basis of multiple compliance frameworks including FedRAMP. This means there are multiple criteria to most of the controls, and now there are also parameter selections your organization will need to make. Take control 03.01.05 for example:

Clearly, there is a pretty significant difference. Where previously you only had to address a simple statement about least privilege, you now have to address parts a through d. You also have to assign what types of security functions and security-relevant information you are authorizing access to, and the frequency at which the privileges will be reviewed.

Change #2: No More Basic and Derived Requirements

NIST 800-171 Revision 2 broke controls into two categories: basic and derived. The basic security requirements came from FIPS Publication 200, published back in 2006. Derived security requirements came from NIST 800-53 Revision 4. NIST 800-171 Revision 3 instead takes the NIST 800-53 controls that are in the moderate baseline, and tailors them to eliminate certain controls to define the updated requirements.

Change #3: No More NFO Controls

The tailoring criteria for Revision 2 had four categories: Controlled Unclassified Information (CUI), Non-Federal Organization (NFO), Not Confidential (NCO), and Federal (FED). NIST excluded NCO and FED categories from Revision 3 since they were not directly related to the confidentiality of CUI or they were deemed a federal government responsibility. CUI controls were explicitly included in the control requirements, but NIST 800-171 Revision 2 also had a weird category called NFO. Controls in the NFO category were “expected to be routinely satisfied by nonfederal organizations without specification.” This meant that even though NFO controls weren’t directly included in the baseline, the federal government still expected that your organization would have those controls in place and properly implemented. Thankfully, NIST 800-171 Revision 3 completely drops this sneaky requirement, opting instead to include all of the applicable controls directly in the tailored requirements. NIST 800-171 Revision 3 also adds “Not Applicable” and “Other Related Controls” (ORC) to the tailoring criteria. Controls labeled ORC indicate that the outcome of the control is obviated by other controls, that if implemented make implementing the ORC tagged control unnecessary.

Change #4: Number of Controls

NIST 800-171 Revision 2 had 110 controls that needed to be implemented. NIST 800-171 Revision 3 adds new requirements, including the Supply Chain Risk Management (SR), System and Services Acquisition (SA), and Planning (PL) control families. While a number of controls were added for Revision 3, NIST also withdrew several others for a total of 97 controls.

“What does this mean for CMMC?”

If you have CUI in your environment, then the CMMC Program applies to you (YES YOU!). The DoD’s Proposed Implementation Plan for CMMC, described in our January ACT Post, requires defense contractors to be assessed on how they have implemented each of the NIST 800-171 security controls starting as early as January 2025. The CMMC Program requires contractors to implement the latest version of NIST 800-171 - meaning that Revision 3 is now the requirement.

“But I’m nowhere near ready for Revision 3 with all these changes - what do I do?”

Well I have good news for you! Most defense contractors are in the same situation - so the Office of the Undersecretary of Defense (OUSD) released a class deviation allowing any contractor subject to DFARS 252.204-7012 to comply with NIST 800-171 Revision 2 instead of Revision 3 until further notice. This class deviation remains in effect until rescinded - likely allowing most contractors to be assessed against Revision 2 for their first CMMC Assessment. However, it is important to identify the gaps between Revision 2 and Revision 3 and make a plan for implementing those controls, since there is no telling when that deviation will be rescinded.

 Are you preparing for the upcoming CMMC assessment requirements? Need help identifying or remediating gaps? Hive Systems is here to help! Our CMMC Readiness Assessment service will position your company to understand and how you will be assessed, what requirements need to be in place, and help you implement processes and technology to overcome any issues that may prevent you from meeting the DoD’s strict criteria. We also have FREE System Security Plan templates to download for both NIST 800-171 Revision 2 and Revision 3, and our subject matter experts are Certified CMMC Professionals - bringing in-depth knowledge of the unique requirements of CMMC and hands-on experience implementing them. Contact us today!