Major Changes and New Requirements in NIST SP 800-171 Rev 3 Draft for Government Contractors
Rev 3 seems to bring more clarity and streamlined the understanding of the information in Section 1 and Section 2 of the Rev 2. Some of the security requirements and families in Section 3 were modified to reflect and align with the NIST SP 800-53B moderate baseline. There are also several eliminations between the basic and derived security requirements. For some of the security requirements NIST has introduced organization-defined parameters (ODP) to increase the flexibility and remove the ambiguity. The objective here is to provide additional flexibility by allowing federal organizations to specify values for the designated parameters, as needed. Flexibility is achieved using assignment and selection operations. For example, requirement 3.1.8 now is worded as in the following:
“Limit the number of consecutive invalid logon attempts by a user to [Assignment: organization-defined number] in [Assignment: organization-defined time period].”
The NIST SP 800-171 Rev 3 organizes the security requirements into 17 families. The newly introduced families are “Planning”, “System and Services Acquisition” and “Supply Chain Risk Management”. Although discussion sections were provided for each security requirement in Rev 2, in Rev 3 the discussion sections for some requirements are a little longer and contain more examples. However, the use of examples is not exhaustive and not reflective of all potential options. References section for each requirement is a new addition and provides the source controls from NIST SP 800-53 and a list of NIST Special Publications with additional information on the topic described in the requirement.
Newly introduced security requirements (24):
3.1.23 – Account Management – Inactivity Logout
Require that users log out of the system [Selection (one or more): after [Assignment: organization-defined time period] of expected inactivity; when [Assignment: organization-defined circumstances occur]].
3.4.10 – System Component Inventory
a. Develop and document an inventory of system components.
b. Review and update the system component inventory [Assignment: organization-defined frequency] and as part of component installations, removals, and system updates.
3.4.11 – Information Location
a. Identify and document the location within the system where CUI is processed and stored.
b. Identify and document the users who have access to the system where CUI is processed and stored.
c. Document changes to the location where CUI is processed and stored.
3.4.12 – System and Component Configuration for High-Risk Areas
a. Issue [Assignment: organization-defined system] with [Assignment: organization-defined system configurations] to individuals traveling to locations that the organization deems to be of significant risk.
b. Apply the following controls to the system when the individuals return from travel: [Assignment: organization-defined controls].
Identification and Authentication
3.5.12 – Authenticator Management
a. Establish initial authenticator content for any authenticators issued by the organization.
b. Verify the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution.
c. Establish and implement administrative procedures for initial authenticator distribution, for lost, compromised, or damaged authenticators, and for revoking authenticators.
d. Protect authenticator content from unauthorized disclosure and modification.
e. Change default authenticators prior to first use.
f. Change or refresh authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events].
g. Change authenticators for group or role accounts when membership to those accounts change.
3.6.4 – Incident Response Training
a. Provide incident response training to system users consistent with assigned roles and responsibilities.
b. Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
3.9.3 – External Personnel Security
a. Establish and document personnel security requirements, including security roles and responsibilities for external providers.
b. Require external providers to comply with the personnel security policies and procedures established by the organization.
c. Monitor provider compliance with personnel security requirements.
3.10.7 – Physical Access Control
a. Enforce physical access authorizations at [Assignment: organization-defined entry and exit points to the facility where the system resides] by:
1. Verifying individual access authorizations before granting access to the facility; and
2. Controlling ingress and egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems or devices]; guards].
b. Maintain physical access audit logs for [Assignment: organization-defined entry or exit points].
c. Escort visitors and control visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and control of visitor activity].
d. Secure keys, combinations, and other physical access devices.
3.10.8 – Access Control for Transmission and Output Devices
a. Control physical access to system distribution and transmission lines within organizational facilities.
b. Control physical access to output from [Assignment: organization-defined output devices] to prevent unauthorized individuals from obtaining the output.
3.11.4 – Risk Response
Respond to findings from security assessments, monitoring, and audits.
Security Assessment and Monitoring
3.12.5 – Independent Assessment
Use independent assessors or assessment teams to assess controls.
3.12.6 – Information Exchange
a. Approve, document, and manage the exchange of CUI between the system and other systems using [Assignment: organization-defined agreements].
b. Review and update the agreements [Assignment: organization-defined frequency].
3.12.7 – Internal System Connections
a. Authorize internal system connections of [Assignment: organization-defined system components or classes of components].
b. Review the continued need for each internal system connection [Assignment: organization-defined frequency].
System and Communications Protection
3.13.17 – Internal Network Communications Traffic
Route internal network communications traffic to external networks through an authenticated proxy server.
3.13.18 – System Access Points
Limit the number of external network connections to the system.
System and Information Integrity
3.14.8 – Spam Protection
a. Implement spam protection mechanisms at designated locations within the system to detect and act on unsolicited messages.
b. Update spam protection mechanisms [Assignment: organization-defined frequency].
3.15.1 – Policy and Procedures
a. Develop, document, and disseminate to organizational personnel or roles, policies and procedures needed to implement security requirements.
b. Review and update policies and procedures [Assignment: organization-defined frequency].
3.15.3 – Rules of Behavior
a. Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for handling CUI and system usage.
b. Review and update the rules of behavior [Assignment: organization-defined frequency].
System and Services Acquisition
3.16.2 – Unsupported System Components
a. Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or
b. Provide options for alternative sources for continued support for unsupported components.
3.16.3 – External System Services
a. Require the providers of external system services to comply with organizational security requirements, and implement the following controls: [Assignment: organization-defined controls].
b. Define and document organizational oversight and user roles and responsibilities with regard to external system services.
c. Implement the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: [Assignment: organization-defined processes, methods, and techniques].
Supply Chain Risk Management
3.17.1 – Supply Chain Risk Management Plan
a. Develop a plan for managing supply chain risks associated with the development, manufacturing, acquisition, delivery, operations, maintenance, and disposal of the system, system components, or system services.
b. Review and update the plan [Assignment: organization-defined frequency].
3.17.2 – Acquisition Strategies, Tools, and Methods
Develop and implement acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks.
3.17.3 – Supply Chain Controls and Processes
a. Establish a process or processes for identifying and addressing weaknesses or deficiencies in the supply chain elements and processes.
b. Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: [Assignment: organization-defined supply chain controls].
3.17.4 – Component Disposal
Dispose of system components, documentation, or tools containing CUI using the following techniques and methods: [Assignment: organization-defined techniques and methods].
Moved as new requirements to new domains (2):
3.12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
Removed and addressed in existing requirements (21):
3.1.13 – Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
3.1.14 – Route remote access via managed access control points.
3.1.15 – Authorize remote execution of privileged commands and remote access to security-relevant information.
3.1.17 – Protect wireless access using authentication and encryption.
3.1.19 – Encrypt CUI on mobile devices and mobile computing platforms.
3.4.7 – Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
3.5.9 – Allow temporary password use for system logons with an immediate change to a permanent password.
3.5.10 – Store and transmit only cryptographically-protected passwords.
3.7.2 – Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
3.7.3 – Ensure equipment removed for off-site maintenance is sanitized of any CUI.
3.8.6 – Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
3.8.8 – Prohibit the use of portable storage devices when such devices have no identifiable owner.
3.10.3 – Escort visitors and monitor visitor activity.
3.10.4 – Maintain audit logs of physical access.
3.10.5 – Control and manage physical access devices.
3.11.3 – Remediate vulnerabilities in accordance with risk assessments.
3.13.5 – Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
3.13.16 – Protect the confidentiality of CUI at rest.
3.14.4 – Update malicious code protection mechanisms when new releases are available.
3.14.5 – Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.
3.14.7 – Identify unauthorized use of organizational systems.
3.5.6 – Disable identifiers after a defined period of inactivity.
3.5.8 – Prohibit password reuse for a specified number of generations.
3.7.1 – Perform maintenance on organizational systems.
3.13.14 – Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
NIST proposed Significant changes in total of other 49 requirements. Those changes are additional details or they incorporated new sub requirements which were moved from the existing requirements in Rev 2.
36 of the 110 existing requirements either received minor changes or did not have any significant changes. Minor changes typically include the title and editorial changes with no or limited outcome.
How Can We Help the Government Contractors?
The NIST SP 800-171 Rev 3 is still in its initial draft form. However, it is apparent that government contractors which plan to or did already implement their CMMC readiness will have to adapt to significantly changed requirements in addition to addressing those new requirements. Linqs provides CMMC training and advisory services to help government contractors interpreting and implementing the requirements. We will monitor the further changes & approvals and will advise the public accordingly.
If you have any questions or need assistance, reach out to our training & advisory team by using the Contact Us form below.