Understanding NIST SP 800-171 Revision 3 with Dr. Ron Ross

    Explore the improvements coming to NIST SP 800-171 Revision 3 with Dr. Ron Ross. Learn about key updates, new requirements, and the roll-out process.

    3 Minutes Read

    After more than a year of development, revision 3 of NIST SP 800-171 and NIST SP 800-171A are officially done.

    We were joined by Dr. Ron Ross to discuss what NIST learned from public comments, why NIST decided to add 19 new requirements, the thought process behind “ORC” controls, and what the future holds for the CUI series, rulemaking, and the NIST SP 800-53 catalog overall.

    Watch the Podcast

    Listen to the Podcast

    This episode is from the Sum IT Up podcast. Click here to learn more.

    Supplemental Resources for NIST SP 800-171 Revision 3

    NIST released numerous supplemental resources along with NIST SP 800-171 revision 3 and NIST SP 800-171A revision 3.

    “We found that supplemental materials are really important to our community because understanding what’s in the document – just reading the words – sometimes doesn’t go far enough, especially when you’re looking at new versions coming out. What are the changes? What are the deltas? What do all these things really mean?” – Dr. Ron Ross

    • A summary press release.
    • A digital version of the requirements within the Cybersecurity and Privacy Reference Tool (CPRT).
    • Updates on the Protecting Controlled Unclassified Information project site.
    • A Change Analysis spreadsheet explaining changes between SP 800-171 revision 2 and revision 3.

    Screenshot 2024-07-03 at 1.53.38 PM

    Screenshot 2024-07-03 at 1.55.50 PM

    What has NIST learned during the revision process? Were you surprised by anything?

    “We always learn in every one of these publication updates. I think what surprised me the most is the number of people that count every control and every subpart and every determination statement. I didn’t realize – frankly we never count the number of determination statements or the number of objectives in the publication. We basically try to define the requirement and then develop an assessment procedure. But that surprised me, how many people hang on every number.”

    “One thing that surprised me was the [Organizationally Defined Parameter (ODP)] reaction and we kinda had to go down that road. Once you make the commitment to going into [NIST SP 800-53] you’re not going to be able to eliminate ODPs. But I was surprised. We had people that liked them and disliked them. They’re actually a pretty important part of finishing up and finalizing the requirements. My favorite one is the backup requirement. NIST is never gonna be in a position to tell an organization how often to backup because of [different settings/missions].”

    Do you think NIST SP 800-171 revision 3 is a better standard compared to revision 2?

    “Yes. It’s clearly a better guidance document. Why? First of all, we brought it up to code with [NIST SP 800-53 revision 5]. Second, it fills some critical gaps. One big gap that you all are very aware of (and the DIB especially) is the requirement for external service providers to make sure this information [is protected].”

    Why 19 new requirements?

    The number of requirements in NIST SP 800-171 revision 3 has decreased from 110 to 97 while the number of determination statements in NIST SP 800-171A revision has increased from 320 to 422.

    Why did those 19 requirements make the cut?

    “This process, as I said earlier, is not using formal methods and first order predicate calculus to come up with an answer. This is a process that is based on what I call a “tradespace decision”. When you build a system in the world of systems engineering there are all kinds of trade offs that are made. The same thing happens with us.”

    The 19 New Requirements in NIST SP 800-171 Revision 3

    03.04.10 System Component Inventory

    03.04.11 Information Location

    03.04.12 System and Component Configuration for High-Risk Areas

    03.05.12 Authenticator Management

    03.06.04 Incident Response Training

    03.06.05 Incident Response Plan

    03.10.07 Physical Access Control

    03.10.08 Access Control for Transmission

    03.11.04 Risk Response

    03.12.05 Information Exchange

    03.14.08 Information Management and Retention

    03.15.01 Policy and Procedures

    03.15.03 Rules of Behavior

    03.16.01 Security Engineering Principles

    03.16.02 Unsupported System Components

    03.16.03 External System Services

    03.17.01 Supply Chain Risk Management Plan

    03.17.02 Acquisition Strategies, Tools, and Methods

    03.17.03 Supply Chain Requirements and Processes

    Dr. Ross’ closing thoughts

    “It’s a lot of work but it’s worth the effort, that’s one thing that I would tell everybody. It’s hard to overstate this. With our total dependence on computing technology going into everything from IT systems to OT, IoT, etc., cyber-physical convergence has changed the landscape for everything that matters today. We know it’s a lot of work and we know it’s not going to be a smooth ride but with two steps forward and one step back you’re still making forward progress.”

    Past episodes with Ron:

    NIST Security Controls: Deep Dive with Dr. Ron Ross

    NIST SP 800-171 revision 3 with Dr. Ron Ross

    Sum IT Up Podcast

    With Jacob Horne and Jason Sproesser

    We sum up the news and developments relevant to CMMC, DFARS, and NIST standards such as SP 800-171, SP 800-53, the NIST Cybersecurity Framework, and others.

    SumItUp Spotify Podcast Button SumItUp Apple Podcast Button SumItUp YouTube Podcast Button

    Picture of Jacob Horne

    Jacob Horne

    Jacob has 15 years of interdisciplinary cybersecurity experience. He uses his knowledge of cybersecurity, NIST standards, and federal rulemaking to help people make sense of cybersecurity regulations and requirements.