NIST 800-171 Revision 3 – Coming December 9th – What You Need to Know
The National Institute of Standard and Technology (NIST) released the final version of the NIST 800-171 Rev. 3 in May of 2024. The Department of Defense (DoD) released the new version of the framework to include new controls and guidance to better protect Controlled Unclassified Information (CUI). This new version is not currently supported for contractors to use to prove compliance with DFARS 252.204-7012. The release of Revision 3 is to allow contractors to begin to evaluate the controls and potential changes that are expected to come to the DFARS and CMMC compliance models sometime in the future.
Differences between Rev. 2 and Rev. 3
Revision 2 | Revision 3 |
|---|---|
Based off FIPS 200 and NIST 800-53 | Based solely off NIST 800-53 |
110 Controls – Controls were more separated | 97 Controls – New controls added, and other controls combined |
Basic and Derived controls included in framework | Basic and Derived distinction language removed |
“Periodic” language included | “Periodic” removed from the framework |
| 49 Additional ODP statements added |
14 Control Families | 17 Control Families |
Can be used for DFARS Compliance | Cannot be used for DFARS Compliance |
320 Determination statements | 422 Determination statements |
See this link for the NIST Analysis of changes.
How to use NIST 800-171 Rev. 3 Now
Revision 3 was released to help companies get ahead of any potential changes that may be coming to DFARS and CMMC in the future. The release of the new revision gives companies the chance to assess their current posture against the new controls and new design of the framework. The framework could be used in multiple ways, for instance:
- A company performing a new assessment against CMMC or Rev. 2 could run an assessment in parallel with Rev. 3 to see where there are differences and what changes could be needed to satisfy the more stringent requirements of Rev. 3.
- Use a previous Rev. 2 assessment to populate corresponding spaces within Rev. 3 to identify gaps.
What is included in the Apptega Roll Out of NIST 800-171 Rev. 3
Apptega’s roll out of the new NIST 800-171 Rev. 3 includes multiple pieces that when used together can help a company to create an organization that is fully compliant with the requirements of the framework. Remember: at this time, this framework does not meet the requirements of DFARS so it cannot be used to submit scores or information to the government to prove compliance for DoD contracts.
Included in the roll out of NIST 800-171 Rev. 3:
- The assessment.
- The framework.
- An automated task pack.
- Mappings to other frameworks will be released in Q1, 2025.
Conclusion
The NIST 800-171 Rev. 3 compliance package was created to allow companies to proactively pursue compliance with new controls that are expected to be included in future DFARS and CMMC releases. While this may not happen for several years, a proactive approach to compliance can allow a company to more easily transition from one set of controls to another more easily. The changes between Rev. 2 and Rev. 3 can be as much as 32 percent more controls for Rev. 3, so getting started early may ease some of that burden. Additionally, with the added controls in Rev. 3, your organization will also be more secure.
Categories
- All Categories
- 17 Product
- Audits
- Assessments
- Frameworks
- Reporting
- Risk Manager
- Vendor Manager
- 70 Apptega Community
- 25 General Community
- 5 Welcome to the Community