Updates for NIST SP 800-17: What Does it Mean For Your Organization?

CMMC continues to evolve, with the latest updates for NIST SP 800-171 Revision 3 published last month (May 10). It is open for review and public feedback. This revision provides an update to the protection of Controlled Unclassified Information (CUI) and was made to ensure that the technical and nontechnical requirements have been stated clearly and concisely, while still addressing the needs of organizations. Below are the significant changes made to NIST SP 800-171. If you have questions about these changes or want to talk about what it means to your organization, contact Cybernet today.

• Streamlined introductory information in Section 1 and Section 2 to improve clarity and customer understanding

• Modified the security requirements and families in Section 3 to reflect the controls in the NIST SP 800-53B [13] moderate baseline and the tailoring actions in Appendix C

• Eliminated the distinction between basic and derived security requirements

• Increased the specificity of security requirements to remove ambiguity, improve the effectiveness of implementation, and clarify the scope of assessments

• Introduced organization-defined parameters (ODP) in selected security requirements to increase flexibility and help organizations better manage risk

• Grouped security requirements, where possible, to improve understanding and efficiency of implementation and assessments

• Removed outdated and redundant security requirements

• Added titles to security requirements

• Introduced a new tailoring category, Not Applicable (NA)

• Recategorized selected controls in the NIST SP 800-53B moderate baseline (using the tailoring criteria in Appendix C)

• Recast the security requirements, where possible, for consistency with the security control language in NIST SP 800-53

• Developed a prototype CUI overlay that expresses security requirements using the tailoring security controls in NIST SP 800-53

• Revised the structure of the References, Acronyms, and Glossary sections for greater clarity and ease of use

• Revised the tailoring table in Appendix C for consistency with the changes to the security requirements

• Transitioned the mapping tables formerly resident in Appendix D of NIST SP 800-171, Revision 2 to the publication details web page along with other supporting material

Review NIST SP 800-171 Revision 3 here

To contribute /read open public comments through July 2023 visit here