NIST revises SP 800-171 guidelines for protecting sensitive information, implementing security requirements

Following last week’s update of its draft guidelines for protecting sensitive unclassified information, the NIST (National Institute of Standards and Technology) announced on Monday that it will host a webinar on June 6, to provide an overview of the significant changes in NIST SP 800-171 document. The agency initiated action to help federal agencies and government contractors more consistently implement security requirements. 

The NIST Special Publication [SP] 800-171 Revision 3 will be of particular interest to the large number of businesses that contract with the federal government. The agency requests public comments on the draft guidelines by July 14 this year. 

Significant changes in NIST SP 800-171, Revision 3 include updates to the security requirements and families to reflect updates in NIST SP 800-53, Revision 5 and the NIST SP 800-53B moderate control baseline; updated tailoring criteria; and increased specificity for security requirements to remove ambiguity, improve the effectiveness of implementation, and clarify the scope of assessments. It also leads to the introduction of ODP (organization-defined parameters) in selected security requirements to increase flexibility and help organizations better manage risk and offers a prototype CUI (controlled unclassified information) overlay. 

The author-led webinar discussion will provide an overview of the significant changes in Draft SP 800-171, Revision 3, describe the design principles and rationale behind the significant changes, identify areas where NIST seeks additional and specific input, share information about how to engage and provide feedback, and take live audience Q&A. 

Authored by Ron Ross and Victoria Pillitteri, the revision to NIST SP 800-171 represents over one year of data collection, technical analyses, customer interaction, redesign, and development of the security requirements and supporting information for the protection of CUI. 

In February, NIST issued a status update of its SP 800-171, which provided a set of recommended security requirements for protecting the confidentiality of CUI. The document works on protecting CUI in non-federal systems and organizations while providing federal agencies with a set of recommended security requirements for protecting the confidentiality of CUI.

Furthermore, three new security requirement families have been added to Revision 3 to maintain consistency with the NIST SP 800-53B moderate control baseline. The families include the Planning (PL) family, the System and Services Acquisition (SA) family, and the Supply Chain Risk Management (SR) family. In addition, the Security Assessment family has been renamed the Security Assessment and Monitoring (SA) family.

The revised draft guidelines, titled ‘Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations’ will be of particular interest to the many thousands of businesses that contract with the federal government. Federal rules that govern the protection of CUI include sensitive data such as health information, critical energy infrastructure information, and intellectual property, referencing the SP 800-171 security requirements. Systems that store CUI often support government programs containing critical assets, such as design specifications for weapons systems, communications systems, and space systems.

The security requirements in this publication are only applicable to components of nonfederal systems that process, store, or transmit CUI or provide protection for such components. Nonfederal systems include information technology (IT) systems, operational technology (OT) systems, and Internet of Things (IoT) devices. The requirements are intended for use by federal agencies in contractual vehicles or other agreements that are established between those agencies and nonfederal organizations.

The changes are intended in part to help these businesses better understand how to implement the specific cybersecurity safeguards provided in a closely related NIST publication, SP 800-53 Rev. 5. The authors have aligned the language of the two publications so that businesses can more readily apply SP 800-53’s catalog of technical tools, or ‘controls,’ to achieve SP 800-171’s cybersecurity outcomes. 

According to NIST’s Ross, the update is designed to help maintain consistent defenses against high-level threats to information security. 

“Many of the newly added requirements specifically address threats to CUI, which recently has been a target of state-level espionage. We want to implement and maintain state-of-the-practice defenses because the threat space is changing constantly,” Ross, a NIST fellow, said in a statement. “We tried to express those requirements in a way that shows contractors what we do and why in federal cybersecurity. There’s more useful detail now with less ambiguity.”

The NIST SP 800-171 aims to provide federal agencies with recommended security requirements for protecting the confidentiality of CUI. It covers when the CUI is resident in a nonfederal system and organization when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency, and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category listed in the CUI registry. 

It added that the security requirements in the NIST SP 800-171 publication are only applicable to components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components. The requirements are intended for use by federal agencies in contractual vehicles or other agreements that are established between those agencies and nonfederal organizations.

Some of the recommended security requirements in the NIST SP 800-171 document are based on certain assumptions, including whether federal information designated as CUI has the same value and whether such information resides in a federal or a nonfederal system or organization. It also assumes statutory and regulatory requirements for the protection of CUI are consistent in federal and nonfederal systems and organizations, safeguards implemented to protect CUI are consistent in federal and nonfederal systems and organizations, and the confidentiality impact value for CUI is no less than moderate.

The security requirements in previous versions of NIST SP 800-171 were stated at a high level of abstraction and left detailed specifications to the implementers and the assessors. While certain organizations viewed this lack of specificity favorably, others stated that it made the solution space too broad and left the requirements open to interpretation and subjective in their application. 

The lack of specificity also made assessments more difficult since assessors had different expectations and interpretations of whether organizations satisfied the requirements. The increased specificity in Revision 3 continues to allow for flexibility in implementation but also aligns security requirement language to the control language in NIST SP 800-53. 

In many cases, security requirements are closely related to other requirements. For efficiency and increased understanding, certain requirements have been withdrawn and incorporated into other requirements when there is a direct relationship or logical association. Such grouping resulted in multi-part requirements but did not add to the total number of requirements. The grouping of requirements is also consistent with the content of the security controls in NIST SP 800-53.

Organization-defined parameters are used in the NIST SP 800-53 controls to provide flexibility to federal agencies in tailoring controls to support specific organizational missions or business functions and to manage risk. To provide that same flexibility to federal agencies in working with nonfederal organizations to protect CUI, ODPs have been selectively employed in the requirements in NIST SP 800-171, Revision 3, consistent with their use in NIST SP 800-53, Revision 5. 

Once ODPs have been defined, they become part of the security requirement and can be assessed as such. ODPs also help simplify assessments by providing greater specificity to the requirements being assessed and reducing ambiguity and inconsistent interpretation by assessors. Federal agencies can elect to specify ODPs, provide guidance on selecting ODPs for nonfederal agencies, or allow nonfederal agencies to self-select ODP values.

As part of this ongoing responsibility, the publications are routinely updated with ‘state-of-the-practice’ safeguards and countermeasures to help organizations protect CUI from unauthorized disclosure. When the moderate control baseline in NIST SP 800-53B was updated to reflect the security controls in NIST SP 800-53, Revision 5, it automatically triggered an update to the security requirements in NIST SP 800-171. That update resulted in the addition of new security requirements in Revision 3. It also resulted in the removal of certain requirements from the catalog. Information regarding the transition of security requirements from NIST SP 800-171, Revision 2 to Revision 3. 

The mapping table in NIST SP 800-171, Revision 3 will focus exclusively on the NIST SP 800-53 security controls, which is the authoritative source for the security requirements. NIST is currently updating the mapping of the NIST SP 800-53, Revision 5 controls to the ISO/IEC 27001:2022 controls and will issue the update by fall 2023.

Last month, NIST published a discussion draft that identifies the potential Functions, Categories, and Subcategories of the NIST Cybersecurity Framework (CSF) 2.0 Core. In its preliminary stage, the early draft of the NIST CSF 2.0 Core, covers cybersecurity outcomes across six functions, 21 categories, and 112 subcategories, and is intended to increase transparency of the update process and promote discussion to generate concrete suggestions for improving the framework.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.