NIST issues summary and analysis of comments received in response to SP 800-171 r3 initial public draft

Following its May revision, the National Institute of Standards and Technology (NIST) issued Wednesday its summary and analysis of comments received in response to SP 800-171 Revision 3 initial public draft (ipd). The update represents over one year of data collection, technical analyses, customer interaction, redesign, and development of the security requirements and supporting information for the protection of CUI (controlled unclassified information). 

NIST is adjudicating the comments and preparing the final public draft (fpd) of SP 800-171 r3. Concurrently, the team is developing the initial public draft of SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, which will provide assessment procedures for the SP 800-171 r3 security requirements. NIST anticipates releasing SP 800-171 r3 fpd and SP 800-171A ipd for public comment between October and December this year and looks forward to ongoing engagement with users during the comment period.

Based on a preliminary review and analysis of the comments received, NIST plans to make various changes in SP 800-171 r3 fpd. These include reducing the number of ODPs (organization-defined parameters), reevaluating the tailoring categories and tailoring decisions to eliminate the NFO category, and tailor out controls that may be adequately addressed by other related controls, and restructuring and streamlining the discussion sections to only address the security requirement and sequence the text to correspond with specific requirement items. 

The NIST said in its latest document that “Many trade-offs have been made to ensure that the technical and non-technical requirements have been stated clearly and concisely while also recognizing the specific needs of federal and nonfederal organizations.”

The ipd of SP 800-171 r3 was issued in May for a 90-day public comment period. Reviewers were encouraged to provide feedback on all or parts of the draft. In particular, NIST sought comments and recommendations on the recategorization of controls, the inclusion of ODPs, and the prototype CUI overlay. Over 80 organizations and individuals submitted comments. 

Almost 1,700 comments were received from 82 commenters on SP 800-171 r3 ipd and its supporting resources (i.e., analysis of changes, FAQ, and CUI Overlay). Over 98 percent of the comments submitted focused on the draft publication. There were limited comments on the prototype CUI overlay. The analysis added that “while the majority of commenters expressed support for the concept and appreciated the traceability and alignment between the SP 800-53 controls and the SP 800-171 security requirements, there is an opportunity for NIST to better educate the community about (SP 800-53) control overlays, including their purpose and benefits.”

Many of the comments received were related to the introduction of ODPs in the security requirements, the analysis said. “While some organizations supported the concept, which provides flexibility to federal agencies and non-federal organizations, there were concerns about the responsible entity for defining ODPs and the potential for inconsistent expectations and implementations(e.g., different ODP values used by different federal agencies resulting in the need for multiple and costly implementations).” 

Some common recommendations included having a single entity define ODPs for all non-federal organizations, although commenters suggested many different entities, including NIST, a panel of federal agencies, industry coalitions/groups, and nonfederal organizations. Some commenters recommended removing all ODPs from the publication, others provided suggestions for changes to ODPs for specific requirements, and some recommended adding ODPs to security requirements. 

The analysis identified that over 80 percent of the comments received addressed one or more SP 800-171 security requirements, and there was at least one comment for almost each one. “Many of the comments addressed recommendations for parameter values and concerns about the implementation of ODPs for each requirement.”

The agency also recognized that some commenters provided constructive feedback on how to improve the discussion section of each security requirement to promote understanding of the requirement intent and facilitate better implementation. “Interestingly, only 21 comments were received on security requirement 3.13.11 (Cryptographic Protection). Some organizations and individuals elected to submit identical comments.”

Consistent with the feedback on the ‘Pre-Draft Call for Comments,’ the NIST said that the majority of the commenters supported the closer alignment between the SP 800-171 security requirements and the SP 800-53r5 controls. “A small number of commenters did not support the alignment between the security requirements and controls nor the additional specificity produced by the alignment.” 

It added that one commenter suggested that SP 800-171 should be aligned with a different control framework rather than SP 800-53, indicating an opportunity for NIST to provide additional informative resources in the portfolio of cybersecurity risk management guidance. Many commenters requested additional mappings and encouraged coordination and alignment with the Cybersecurity Maturity Model Certification (CMMC) program.

The CMMC utilizes the publicly available security requirements in NIST Special Publication (SP) 800-171 and draft NIST SP 800-171B, while the NIST is not involved in the design, development, or implementation of the CMMC model, accreditation body, or certification. 

The NIST analysis also identified that many commenters representing organizations of all sizes requested additional implementation guidance and resources. “Even with the updated discussion sections, commenters requested additional clarity to assist with interpreting the requirements, especially for small-to-midsize organizations. Some commenters requested a smaller subset of requirements for small-to-midsize businesses and cost-effective implementation examples and case studies.”

Following last week’s release of the public draft of its NIST Cybersecurity Framework (CSF or Framework) 2.0, the NIST unveiled this week its new CSF 2.0 Reference Tool. The resource allows users to explore the Draft CSF 2.0 Core (Functions, Categories, Subcategories, Implementation Examples) and offers human and machine-readable versions of the draft Core in JSON and Excel formats.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.