Revision 3, or Rev. 3, for 800-171 by the National Institute of Standards and Technology (NIST), is expected to be published early in 2024. The update introduces significant changes, including new requirements. Contractors and vendors who wish to do work with the Department of Defense (DoD), as well as these contractors’ vendors and subcontractors, must adhere to Rev. 3.
NIST 800-171 is critical. Failing to adhere to these standards could result in loss of contracts, data loss, fines, and other consequences.
We highlight seven things you need to know about the current requirements and upcoming changes, along with a road map to help you meet compliance regulations.
7 Ways To Start Preparing Now for NIST 800-171 Rev. 3
1. Are You Compliant with NIST 800-171 Rev. 2?
A good place to start when it comes to future compliance demands is understanding where you stand now with the current compliance demands.
NIST 800-171 Rev. 2 requires organizations to focus on 110 controls of recommended security requirements for protecting the confidentiality of controlled, unclassified information (CUI). These controls cover a broad swath of security practices, such as:
- Cybersecurity awareness and training
- Identification and authentication
- Incident response
- System and communications protection
Total compliance is required.
By becoming compliant with NIST 800-171 Rev. 2 now, organizations will have less work to do when Rev. 3 is released.
2. Assessment Processes are Transforming
Previously, organizations could self-attest their compliance. In addition to this, one of the most significant recent changes was the 2020 Interim rule which required suppliers to calculate and report a Supplier Performance Risk System (SPRS) score. By this time, you should know what your SPRS score is and if it is accurate. DoD contracts are now being released with compliance requirements included and, if you cannot attest to compliancy, you may be hindering your ability to bid or be awarded future contracts.
3. Third-party Vendor Risk Assessments are Pivotal
All organizations deal with data, but for those that have sensitive federal and military data, protocols must be in place to keep it secure. When organizations make purchase decisions, they are usually focused on their budget, not the vendor’s cybersecurity posture. One of the greatest risks to a secure system is being breached via a third-party vendor. Conducting thorough third-party vendor risk assessments can mitigate this vulnerability.
4. Labeling Controlled Unclassified Information
Identifying Controlled Unclassified Information (CUI) is vital to meet Rev. 3 compliance. Even if an organization is not working directly with the DoD, they still will be subjected to mandatory compliance if they work with a prime contractor or a subcontractor.
Do you really know what is considered CUI?
Smaller firms may not realize that some detailed documents are considered CUI, such as plumbing and electrical plans for military bases, and as such fail to meet the changing regulations.
Tip: If you have access to federal or military data – yes, even electrical plans – compliance is necessary.
5. Additional System Components Defined
Stricter definitions are also on the horizon for Rev. 3. With additional scrutiny placed on most aspects of technology, some definitions are expanding.
For instance, system components under Rev. 2 included:
- Input and output devices
- Network components
- Operating systems
- Virtual machines
In the Rev. 3 draft, this will be expanded to include more details surrounding:
- Notebook computers
- Mobile phones
- Anything that is network attached
6. Blocklisting vs. Allowlisting
In Rev. 3, a shift is expected to no longer provide the “either/or” option. The allow-by-exception requirement will become the standard. This stricter approach offers great control over mitigating risks of an attack, by reducing the number of applications running at one time and helps prevent supply chain issues.
7. Noncompliance Risks
At this point in time, 100% compliance with NIST 800-171 Rev. 2 is required. Even if a business receives sensitive data that is not originally labeled CUI, it could be on the hook if the labeling isn’t rectified, and the data isn’t properly protected. Failing to meet any of these requirements could open the organization up to data breaches and loss of contracts.
Compliance Isn’t About Checking a Box
Many businesses make the mistake of believing that once they go through a compliance assessment and complete the audits, they’re done. However, this is not the case. Compliance, whether NIST 800-171 or CMMC, is an ongoing requirement and requires constant vigilance, system monitoring, training, and a continuously updated incident response plan designed to meet evolving threats. Companies should focus on compliance management at all levels, including financial, operational, and strategic.
When Rev. 3 is introduced, companies will have to quickly pivot to meet those changing regulations. Readiness assessments and audits can help companies identify their responsibilities for compliance and give them a road map for any corrective actions that are needed to meet these regulations, helping them to avoid serious consequences, such as loss of work or data breaches.
VersaTrust’s Assessment Process
Experts review your current strategies
VersaTrust will begin by reviewing your current cybersecurity strategies and identifying which parts are compliant with NIST or CMMC requirements and where gaps exist.
You Get an Action Plan That Addresses Gaps
Next, we’ll look at the data and address areas of need by developing action plans. For example, we may need to enclave areas of your infrastructure or address it as a whole, guide you through execution, and implement this with you.
Ready for Your Assessment
VersaTrust will oversee, manage, and guide you through the completion and uploading of the DFARS 252.204-7019 SPRS score to fit within Rev. 2 and upcoming Rev. 3 or meet CMMC compliance requirements.
Easily Navigate Your Compliancy Journey With the Compliance Experts From VersaTrust
NIST 800-171 Rev. 3 will be here before we know it. Companies shouldn’t wait until the last minute to meet changing compliance regulations, or they could find themselves in noncompliance. A proactive approach to compliance, training, ongoing assessments, and audits can help ensure you’re meeting today’s regulations and tomorrow’s adjustments.