NIST 800-171 Revision Draft Could Mean An Increase In Contractor Responsibility: Here Are 6 Reasons Why

    The draft of the latest revision to NIST SP 800-171 has been published, and the changes mean increased responsibility for DoD contractors.

    4 Minutes Read

    If you’re a contractor in the Defense Industrial Base, chances are you’re likely familiar with the ever-growing cybersecurity requirements found in your current or upcoming contracts.

    You are also probably aware that DFARS 7012 requires that all DoD contractors must comply with NIST SP 800-171 requirements in its latest published revision (Revision 2).

    Just like anything else that’s created or written down, NIST 800-171 will be updated from time to time. And when it gets updated, that means your cybersecurity requirements get updated as well.

    If you want to remain compliant and meet your contractual obligations (and continue to bid and win on contracts), it’s extremely important to know what the draft of the latest revision – Revision 3  – of the NIST 800-171 requirements say. 

    Hot Take: Revision 3 of NIST 800-171 looks like it could increase the contractor’s responsibility of implementing cybersecurity controls by about 145%.

    Luckily for you, we’ve done the work of weeding through the latest revision of the 100+ page draft document that is NIST 800-171 Revision 3, and we’ve simplified some of the key changes and takeaways from the newest revision.

    Let’s look at 6 key takeaways from the latest revision of NIST 800-171 (Revision 3), and how they apply to your organization:

    Big Picture Takeaway: NIST 800-171 Rev 3 requirements are more modular and flexible than Rev 2

    Overall, NIST 800-171 Rev 3 is more modular in its approach. In other words, instead of prescribing specifics to contractors, the latest revision points back to the responsible agency or organization.

    This change is logical because each agency requires its own level of protection depending on the data being disseminated.

    Therefore, when the final publication of NIST 800-171 Rev 3 is released, DoD contractors should be prepared to meet what is referred to as organization-defined parameters (ODP) – which will either mean meeting DoD standards or setting your own in order to better manage risk.

    Key Takeaway #1: You might need an independent assessment to meet the new standards of NIST 800-171

    In Revision 3, there’s a new requirement (3.12.5) that says all organizations must use independent assessors or assessment teams to assess controls. This is a brand-new requirement from NIST that had not existed in the previous revision.

    In other words, if you’re a DoD contractor who handles CUI, not only will you need a CMMC assessment from a C3PAO , but you will likely also need to get an independent assessment as a part of the NIST 800-171 Rev 3 requirements as well.

    NIST and the DoD have not made it clear whether companies can leverage similar assessors or assessments to complete a CMMC Level 2 and a NIST 800-171 assessment.

    Key Takeaway #2: Managed Service Providers (MSP) could have updated cybersecurity requirements

    Another new requirement to NIST 800-171 Revision 3 is that external system service providers (i.e., Managed Service Providers) must now comply with organizational security requirements and organization-defined controls (see 3.16.3).

    In the past, it wasn’t called out in this document that organizations were explicitly responsible for the implementation of the same cybersecurity controls as the organization responsible for CUI under a contract. But in this revision, NIST says, “The responsibility for managing risks from the use of external system services remains with the organization charged with protecting CUI.”

    In other words, if you’re contracting with an external IT provider, they must now also meet specified requirements as determined by your organization-defined parameters. Of course, if you’re using a reputable provider who does this sort of work for DoD contractors, then you shouldn’t have to worry. If not, then it might be time to start shopping around.

    For more information and detail on the specific requirements for this, see document SA-9.

    Key Takeaway #3: FIPS encryption might not be the only way


    Revision 2 of NIST 800-171 explicitly calls out employing FIPS-validated cryptography when protecting CUI. But in the latest revision, implementing cryptographic protection is left up to the agency or organization from which that data comes.

    In other words, Revision 3 of NIST 800-171 provides a more modular view of encryption which gives the organization/agency more flexible options if they chose to elect those. In all likelihood, the requirements for this will be determined at the agency level (see 3.13.11).

    Key Takeaway #4: You’re likely required to whitelist applications instead of having the option to blacklist or whitelist

    Revision 2 of NIST 800-171 gave the organization the option to choose if they wanted to blacklist or whitelist approved applications on devices. However, the latest revision says that only whitelisting is allowed, meaning the burden will be greatly increased on organizations to make sure they’re only allowing appropriate applications.

    It also means you’re going to have to spend a lot more time trying to keep your whitelist up to date, which means outsourcing IT services might become a more ROI-positive investment  (see 3.4.8).

    Key Takeaway #5: You could have to have a supply chain risk assessment

    Here’s what the current published revision (Revision 2) says about Risk Assessment:

    Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.

    However, Revision 3 says to assess the risk (including supply chain risk) of unauthorized disclosure resulting from the processing, storage, or transmission of CUI AND it says to update risk assessments (including supply chain risk) at an organization-defined frequency which will come from the responsible agency or be self-prescribed by your organization.

    The obvious difference here is that supply chain risk assessments are specifically called out in Revision 3, which means it’s not only prime contractors that need to have supply chain risk assessments – now all contractors in the supply chain will need this (see 3.11.1).

    Key Takeaway #6: Split tunneling is up to the organization or agency

    In the current revision of NIST 800-171, split tunneling (accessing the Internet through a VPN outside of your corporate network) was specifically prohibited.

    Revision 3, however, says to prevent split tunneling for remote devices unless the split tunnel is securely provisioned using organization-defined safeguards. In other words, it’s up to the agency or organization to define what safeguards must be in place to use it.

    This revision specifically says A virtual private network (VPN) can be used to securely provision a split tunnel. A securely provisioned VPN includes locking connectivity to exclusive, managed, and named environments or to a specific set of pre-approved addresses without user control.

    Next Steps: We’ll Keep You Updated

    We’ve covered some of the changes in the latest revision of NIST SP 800-171, but obviously, we haven’t covered them all. Plus, this is just the first draft. For now, contractors should continue to implement NIST 800-171 r2 (according to current DFARS contracts).

    According to NIST, they anticipate “releasing at least one more draft version of SP 800-171 Rev. 3 before publishing the final in early 2024.”

    If you’re a DoD contractor, it’s vital to stay up to speed on how this update will be  rolled out. At the end of the day, you’re going to be held accountable by your contracts to the latest revision of NIST 800-171, whenever NIST releases the final publication.

    If you don’t want to scour the web for the latest updates on how and when NIST is updating your required cybersecurity measures, subscribe to the blog below.


    Daniel Akridge