Six Facts You Need to Know About NIST SP 800-171r3

Six Facts You Need to Know About NIST SP 800-171r3

On January 12, 2024, NIST (The National Institute for Standards and Technology) announced the beginning of a public comment period on NIST SP 800-171r3. These comments are in regard to the final draft proposal. Here are six facts you should know now about revision three of NIST SP 800-171.

1.    The Summary of Public Comments on NIST 800-171r3 Has Been Published

On Wednesday, February 21, NIST published its public comment summary. You can review the summary here

2.    People Still Are Not Clear About NIST’s Scope of Influence

The introduction mentions, “Approximately 40 comments addressed CMMC, DFARS, FedRAMP, the identification and marking of CUI, flow-down requirements, and the cost of implementation — all topics deemed out of scope for NIST to address.” There are definitely several organizations involved in ensuring the security of CUI nationwide, but NIST is truly only responsible for the NIST 800-171 standard. 

3.    The NIST SP 800-171r3 Assessment Guide Did Not Get Much Attention

Even though the assessment guide is essential to succeeding in the compliance journey, the summary notes that fewer than 150 comments were received and “Many commenters were not as familiar with the purpose, scope, and structure of the [SP 800-171A] assessment procedures or the source [SP 800-53A] assessment methodology and terminology.” If you do not understand the importance of NIST SP 800-171Ar3, please feel free to contact us for some clarification.

4.    It is Time to Familiarize Yourself with NIST 800-53

NIST 800-53 is mentioned several times throughout the comment summary. NIST 800-53 is a robust standard intended to protect federal information. In order to understand the references to this standard, downloading and reviewing it briefly will be helpful. You can download the standard here. Alternatively, again, feel free to reach out and we can help you “connect the dots” between NIST 800-53 and NIST 800-171. 

5.    NIST Has Action Items

After the summary of comments, NIST listed seven changes that the DIB (Defense Industrial Base) will see in the final publications of NIST 800-171r3, NIST 800-171Ar3, and supplemental materials. Those seven changes are:
a.    Cleaning up errors, omissions, and typos.

b.    Better alignment and consistency between SP 800-53 / 53A and SP 800-171r3 and 171Ar3.

c.    Organization Defined Parameters (ODPs) and the concept of “periodically” will be analyzed again. In the initial public draft of 800-171, NIST used the term “ODP” to indicate that the cadence or requirements would have to be clarified by the organization. This was a source of confusion, so in the final proposed draft, NIST replaced several of the “ODP” mentions with the word “periodically.” Commenters still want more guidance, but, ultimately, NIST is trying to say that each organization has to define certain facets themselves.

d.    NIST will review all of its discussion sections to focus more on tailoring guidance without using specific examples.

e.    More introductory background on 800-53 and 800-53A. NIST notes in a footnote that free, on-demand introductory courses on SP 800-53, 53A, and 53B will be available in the third quarter of 2024. Smithers will keep you updated on that release.

f.    Changes to SP 800-171A will be made in order to keep it aligned with security requirement changes to SP 800-171.

g.    Updates to the FAQs will include more about defining ODPs, the history and evolution of CUI requirements, and more.

6.    NIST SP 800-171r3 and 800-171Ar3 Are Coming Soon

NIST is holding to its stated timeline from 2023 and reiterates in the summary that publication will occur in Spring 2024. Depending on where you live, spring can mean many different things, but, presumably, the publication will happen sometime before the second quarter of 2024 is over.

What else would you like to know about revision three of NIST SP 800-171? Feel free to let us know. 
Show Policy

Latest Resources

See all resources