The New NIST SP 800-171 Revision 3 is Here! Comparing Revisions 2 and 3
Finally! The National Institute of Standards and Technology (NIST) released the final copy of NIST 800-171 Revision 3, or Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. This follows nearly 22 months of draft and public comment periods, during which many organizations undoubtedly debated whether to continue using Revision 2 (finalized in 2021) or refer to draft versions of 3 for compliance efforts.
Bottom line up front: Revision 3 brings significant changes compared to Revision 2, with both simplifications and additions to strengthen security postures — including the introduction of control families, ODPs, and more granular requirement details.
Let’s take a look at the differences between Revisions 2 and 3, and what they functionally mean for organizations that adhere to its requirements.
Revision 2 vs. Revision 3
Welcome, New Families! - Rev. 3 includes the addition of more control families- Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR). These changes bring 800-171 into greater parity with another crucial NIST framework, 800-53 Rev. 5. While this adds a number of new requirements, don’t worry…
Net Loss - …NIST also withdrew 27 requirements, resulting in overall fewer requirements. That said, don’t assume that a withdrawn requirement has disappeared entirely. In many cases, they were absorbed or considered addressed by existing or new requirements.
You Down With ODPs? - Further increasing 800-53 parity is the introduction of organization-defined parameters, or ODPs. These parameters are inserted as bracketed italics into the wording for each requirement (and in some cases, more than once per requirement), and are to be replaced by the organization’s own specifications while developing internal 800-171 compliance documentation. For example, compare “03.05.02” for revisions 2 and 3:
Revision 2: “Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.”
Revision 3: “Uniquely identify and authenticate [Assignment: organization-defined devices or types of devices] before establishing a system connection.”
The meaning is essentially identical, but the presence of an ODP gives greater flexibility to tailor compliance to a specific organization’s needs. It should also make mapping 800-171 to other frameworks (like 800-53, and thus FedRAMP) easier. Remember, though, that other frameworks, guidelines, legal requirements, and regulations may dictate these values, as well, so the flexibility offered varies greatly by organization.
A Periodic Change - Undoubtedly tied to the introduction of ODPs is the removal of the word “periodically” throughout requirement statements. ODPs that require a specification of schedule take this word’s place and reduce the vagueness that “periodically” introduces to requirement text.
Requirement Revamp - Over 70 requirements received some variety of wording change. About a third of these are “editorial,” meaning the changes don’t drastically alter the intent of the requirement. NIST considers the addition of ODPs a “significant change,” however some truly significant changes did occur to the requirement text, as well. Many of these major changes involve the inclusion of detailed descriptions and tasks to allow for 800-53 alignment, so be sure to check not just policy wording in internal compliance documents, but also the related procedures.
Absolute Zero - It’s the small things that matter. Revision 3 introduces leading zeros to requirement numberings. For example, “3.13.1” is now “03.13.01,” making it far less confusing when working with or searching for visually-similar numbers (e.g. “3.13.10”).
Revision 3 brings significant changes compared to Revision 2, with both simplifications and additions to strengthen security postures. While navigating the updates might seem daunting at first, understanding the key differences – the introduction of control families, ODPs, and more granular requirement details – allows organizations to tailor their compliance efforts effectively while also aligning with 800-53 more easily. With a focus on clarity, flexibility, and alignment, Revision 3 positions organizations for a more robust and adaptable approach to protecting Controlled Unclassified Information (CUI)…plus, it finally has those leading zeros.
800-171 is a great framework for organizations to consider; regardless of your organization’s compliance maturity, its applicability to CUI and the federal landscape can open doors. Whether you’re navigating the Revision 2-to-3 update, trying to apply it to FedRAMP, or are just “compliance curious,” reach out! Aquia has a range of services to help define and guide your compliance journey.
If you have any questions, or would like to discuss this topic in more detail, feel free to contact us and we would be happy to schedule some time to chat about how Aquia can help you and your organization.