Release of NIST 800-171 R3 (Revision 3) Draft and Preliminary Analysis

NIST 800-171 R3 (Revision 3) draft was released and discussed at today’s 7th annual NDIA Cyber Event at Gillette Stadium, sponsored in part by KLC Consulting. Panelists examined its potential impact on DFARS compliance and the CMMC program. R3 introduces “Organization-Defined Parameters” (ODP) for businesses to define agreements, configurations, and control frequency. The draft includes 17 domains, adding new ones like Planning, System & Services Acquisition, and Supply Chain Risk Management. Key changes involve independent assessments, FIPS Validated encryption as an ODP control, and external service providers’ compliance with personnel security requirements. Overall, R3 is a sensible approach offering flexibility. Further guidance from DIBCAC and the Cyber AB is expected soon.

Kyle Lai
President and CISO, KLC Consulting, Inc.
CCP (Certified CMMC Professional), PA (Pending (Provisional Assessor), PI (Provisional Instructor)

Yesterday (May 10^th, 2023), KLC Consulting sponsored the National Defense Industrial Association’s 7^th Annual Cyber Event at Gillette Stadium. An important topic covered that will affect your DFARS compliance program is a preliminary overview of the NIST 800-171 R3 draft released just yesterday morning. Panelists Charles Connolly from DIBCAC (The DoD’s DIB assessment organization) and Matt Travis, CEO of the Cyber AB, discussed the potential impact on the CMMC program and rulemaking processes. And colleague Jacob Horne presented an initial summary of changes to controls.

Summary and analysis of the conference panel discussion of NIST 800-171 R3

1. The R3 draft release is not a surprise; the anticipated final R3 release is early 2024.
2. CMMC is absolutely here to stay. But the CyberAB can’t predict if CMMC’s final rule will come out before the final R3 release. The CyberAB is considering the NIST 800-171 R3 draft and will clarify the path forward for assessments as soon as possible. 
3. We have a new term and acronym:  “Organization-Defined Parameters” (ODP). Each business organization will define its respective ODPs:  Agreements, Configurations, and Control Frequency that best fit its needs. However, ODP is already raising questions like:  “Will the DoD define ODP on controls such as FIPS encryption?” The DoD may take a different stand than other federal agencies. DIBCAC doesn’t have an answer right now. But we expect DIBCAC to clarify R3 questions soon.
4. And R3 has 17 domains instead of 14 in R2. They withdrew some controls but incorporated them into other controls. 

New Domains

3.15 – Planning

Requires each organization to establish policies and procedures, develop an SSP, and have an acceptable use policy.

3.16 – System & Services Acquisition 

Requires each organization to:

• Define security engineering principles to evaluate, design, and acquire new systems.
• Determine how you manage unsupported systems (I.e., Windows XP-based systems).
• Ensure your external service providers (ESP) comply with your organization’s security requirements

3.17 – Supply Chain Risk Management

• Define your plan to manage supply chain risk, acquisition strategies, and methodologies. 
• Control your supply chain risks.
• Define your disposal process for Controlled Unclassified Information (CUI).

Other Important Mentions

1. (3.12.5) Independent Assessment For NIST 800-171 R3 Becomes a Requirement. 
2. (3.13.11) FIPS Validated encryption requirement becomes an ODP control. Your organization defines your own required encryptions within your environment. 
3. (3.9.3) Ensure External Service Providers (CSP, MSP, MSSP) comply with your personnel security requirements 

My thoughts about Draft NIST 800-171 Revision 3

R3 (Draft) is a more sensible way to approach security. R3 enables you to define controls and practices through your Organization Defined Parameters (ODP). It clarifies that policies and procedures are required. And It addresses the growing concern with supply chain risks (although these are additional controls). However, we don’t know how soon CMMC will adopt R3, but we know CMMC is not going away. I look forward to getting more guidance from DIBCAC and CyberAB soon.

References:

• NIST 800-171 R3 Draft publication released on 5/10/2023
• NIST 800-171 R2 to Draft R3 mapping (xlsx file)

Need help with understanding how NIST 800-171 R3 affects your cybersecurity compliance program? We provide C3PAO grade consulting services to help.

Check out our YouTube channel and LinkedIn pages for the latest information and educational resources for Cybersecurity Maturity Model Certification.