sp6.io Open in urlscan Pro
3.21.213.16  Public Scan

Form analysis
1 forms found in the DOM

GET https://sp6.io/

<form role="search" method="get" class="search-form" action="https://sp6.io/" data-hs-cf-bound="true">
  <label><span class="screen-reader-text">Search for:</span>
    <input type="search" class="search-field" placeholder="Search …" value="" name="s"></label>
  <button type="submit" class="search-submit"><i class="flaticon-search"></i></button>
  <input type="hidden" name="swpmfe" value="27394fb391f570b0efbb6316d8dbb669">
</form>

Text Content

 * Cyber Compliance
   * CMMC / DFARS Advisory Services
     * CUI Data Mapping
     * Security Gap Assessments
     * CMMC Remediation Services
     * C3PAO Assessment Support
     * Compliance As A Service (CaaS)
   * Compliance Automation Software
 * Splunk Services
   * Value Acceleration Program for Splunk
   * Professional Services
   * Value Acceleration Program for Splunk FAQs
   * Security Workshops
   * Splunk Health Checks
   * Splunk Observability and ITSI
   * Splunk Security Detections 
 * Resources
   * Blog
   * CMMC Helpful Links
   * CMMC 2.0 Guidance
 * Company
   * Why SP6
   * Leadership & Core Values
   * News
   * Careers
   * Social Responsibility
 * Search  

Menu
 * Cyber Compliance
   * CMMC / DFARS Advisory Services
     * CUI Data Mapping
     * Security Gap Assessments
     * CMMC Remediation Services
     * C3PAO Assessment Support
     * Compliance As A Service (CaaS)
   * Compliance Automation Software
 * Splunk Services
   * Value Acceleration Program for Splunk
   * Professional Services
   * Value Acceleration Program for Splunk FAQs
   * Security Workshops
   * Splunk Health Checks
   * Splunk Observability and ITSI
   * Splunk Security Detections 
 * Resources
   * Blog
   * CMMC Helpful Links
   * CMMC 2.0 Guidance
 * Company
   * Why SP6
   * Leadership & Core Values
   * News
   * Careers
   * Social Responsibility
 * Search  

Contact Us


NIST 800-171 REVISION 3: 5 CRITICAL UPDATES YOU SHOULD KNOW



 * SP6
 * February 1, 2024



On 10 January 2024, The National Institute of Standards and Technology (NIST)
shared critical updates to Special Publication 800-171, Revision 3.  

These guidelines safeguard the Controlled Unclassified Information (CUI)
processed, stored, or transmitted by nonfederal systems and organizations. This
10-year-old initiative has affected thousands of defense contractors,
subcontractors, and critical infrastructure. 

Here are some key takeaways from the release of SP 800-171 r3.  


1. ALIGNMENT WITH THE LANGUAGE AND FORMAT OF NIST SP 800-53 R5  

NIST SP 800-171 Revision 3 now aligns more closely with NIST SP 800-53 Revision
5, ensuring security requirements are communicated consistently across federal
and nonfederal organizations.

By aligning with NIST 53 r5, NIST 171 r3 brings the security requirements from
higher to lower level by making the potential implementation statements
narrower.  This is especially true with the inclusion of Organization-Defined
Parameters (ODPs).      


2. REDUCTION OF ORGANIZATION-DEFINED PARAMETERS (ODP)  

The introduction of ODPs in select security requirements offers increased
flexibility for organizations to better manage risks as suited to their specific
contexts. ODPs also help bring high-level requirements to a more narrow, mature,
and specific set of requirements.   

While NIST reduced the number of ODPs between the initial public draft (IPD) and
this final public draft (FPD) by over 50%, the ODPs that survived the cut will
more than likely remain for the final publication. 

ORCs and Not Applicable (NAs) are also new and leveraged to explain the
tailoring criteria. 


3. INTRODUCTION OF PROTOTYPE CUI OVERLAY

NIST provides a nifty tool to help identify the traceability between the NIST 53
r5 and 171 r3.  This also includes the logic behind the tailoring and introduces
new tailoring criteria. 

The overlay helps navigate the requirements, including the detailed analysis to
support the tailoring and mapping from the original control. It will look more
like NIST 53 r5, and by the time we get to NIST 171r4, NIST anticipates the
overlay will be more noticeable than these initial versions.  

One of the tailoring decisions that might cause confusion is the addition of the
Other-Related-Controls (ORCs).  This is a criteria that states that “the control
relating to the protection of confidentiality of CUI is adequately covered by
other related controls.” In other words, if you’ve implemented all other
security requirements, you don’t need to worry about this item because you’ve
done it, too; the control is just here as a placeholder.

The rule of thumb is, if a requirement is not in a contract or part of Section 3
(The Requirements section), then it is not an assessable requirement.  Remember
the NFOs in 171 rev2? 


4. ENHANCED SPECIFICITY AND CLARITY  

Revision 3 also includes more specific and clear security requirements, reducing
assessment ambiguity. This clarity will help contractors better understand the
system requirements, how to effectively implement them, and how the assessment
bodies will assess the cybersecurity practices. 


5. EXTENSION OF PUBLIC INVOLVEMENT 

NIST has conducted extensive data collection, analysis, and public interaction
to develop these guidelines. The public comment period has been extended,
allowing stakeholders to review and provide feedback on the draft. 


IMPLICATIONS FOR FEDERAL AGENCIES AND CONTRACTORS 

The revised guidelines are intended to assist federal agencies and government
contractors in consistently implementing these security requirements to protect
the confidentiality of CUI.  Systems storing CUI often support government
programs with critical assets, making their protection paramount. The changes
aim to simplify the NIST cybersecurity publications ecosystem while ensuring
improved national and economic security safeguards. 


FUTURE DIRECTIONS 

NIST plans further revisions and updates following the finalization of SP
800-171 r3. This includes updates to related publications such as SP 800-171A
(security requirement assessment) and SP 800-172 (enhanced security
requirements).  



SP6




SPLUNK PARTNERVERSE

 * Value Acceleration Program for Splunk
 * Professional Services
 * Value Acceleration Program for Splunk FAQs

CYBER COMPLIANCE

 * CMMC Overview
 * CUI Data Mapping
 * CMMC Implementation Services
 * Security Gap Assessments
 * C3PAO/DIBCAC Support
 * Compliance as a Service (CaaS)

COMPANY

 * News
 * Careers
 * Social Responsibility
 * Blog
 * Thought Leadership
 * Privacy Policy

 * +1 (727) 758-4742
 * service@sp6.io
 * 13577 Feather Sound Dr
   Clearwater, FL 33762

Linkedin Twitter Facebook

© 2024 SP6 Consulting, LLC. All rights reserved

Search for:

We use cookies to ensure that we give you the best experience on our website. If
you continue to use this site we will assume that you are happy with it.Ok