Have you ever wondered how sensitive information, even if it’s not classified, can still be vulnerable to cyber threats? In a world where data breaches and cyber attacks are becoming increasingly common, safeguarding sensitive unclassified information is of paramount importance. The National Institute of Standards and Technology (NIST) recognizes this pressing need and has recently updated its guidelines for protecting such information. If you’re a defense contractor or part of any industry that handles sensitive data, these updates could have significant implications for your cybersecurity practices.


The National Institute of Standards and Technology (NIST) published 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, Revision 3 on May 10, 2023. These guidelines establish the essential cybersecurity standards for federal defense contractors and provide guidance for safeguarding sensitive unclassified information in contractor systems. Systems that hold controlled unclassified information (CUI) must adhere to NIST Special Publication (SP) 800-171’s minimum specifications.


Revision 3 is supposed to be in line with revisions to the security measures controlling federal systems, according to NIST. The NIST SP 800-53, rev. 5, Security and Privacy Controls for Information Systems and Organizations (September 2020), and the NIST SP 800-53B moderate-control baseline have been updated, and this is reflected in many of the revisions. Revision 3 has specifically introduced three new families: planning, system and service acquisition, and supply chain risk management.


With certain needs added and others removed, Revision 3 keeps roughly the same amount of controls overall. The majority of the criteria that were dropped are met by other measures. Updated tailoring criteria, more precise security requirements, and organization-defined parameters for specific controls are all included in Revision 3. A prototype CUI overlay that provides a thorough analysis of the tailoring choices made at the control or requirement item level between SP 800-53 and SP 800-171 is also included with the version. Revision 3 eliminates the distinction between basic and derived security requirements and adds more instructions for how to implement the controls compared to earlier published iterations.


Key Takeaways from the Updated Guidelines


Contractors might be interested in learning how Revision 3 will affect present and future cybersecurity compliance obligations. The framework for the majority of cybersecurity restrictions imposed on the defense industrial base is now NIST SP 800-171 rev. 2. However, this new edition has been created with the knowledge that it will serve as the foundation for the future evaluation of government contractors.


Revision 3 will start to be incorporated in contracts once it is finalized, albeit the specific way in which it will be enforced on contractors is not yet known. The current regulations present defense contractors with the following potentially incompatible obligations:


Defense Federal Acquisition Regulations Supplement (DFARS) 252.204-7012

The -7012 clause mandates adherence to the SP 800-171 version that is “in effect at the time the solicitation is issued or as authorized by the Contracting Officer.” When Revision 3 is complete, “covered contractor information system[s] shall be subject to the security requirements” in that version, according to the text of -7012.


DFARS 252.204-7019 and -7020

Contractors must undertake an assessment “in accordance with the NIST SP 800-171 DoD Assessment Methodology,” which is available on the DoD website, per the DFARS NIST Self-Assessment requirements. This approach is founded on Revision 2. It is unknown when the evaluation technique will be changed to match Revision 3 and NIST SP 800-171A, rev. 1 even after Revision 3 is completed.


Contractors may be expected to comply with Revision 3 under -7012 but also to evaluate themselves in accordance with Revision 2 due to the existing phrasing of the cybersecurity standards in the DFARS. DoD may issue a class variation to prevent imposing Revision 3 on contractors before the assessment methodology has been completed in order to reduce or avoid these potentially contradictory requirements. With the evaluation methodology and related standards revised to reflect Revision 3, this would ensure that contractors are only needed to adhere to Revision 2’s requirements. Additionally, it would provide contractors time to prepare for the rollout of Revision 3.


DoD plans to publish a Defense Industrial Base Cybersecurity Strategy by the end of 2023 that will outline the “pieces and parts” that the NIST cybersecurity framework is made up of. This tactic might make it clearer how the DoD plans to include Revision 3 into its cybersecurity standards. According to the most recent DoD statements, the CMMC program may not be implemented until fall 2024, therefore the release of this strategy will coincide with its development.


Contractors who may be impacted by the modifications in Revision 3 should study the proposed controls in the meantime and express any issues they have with them. Till July 14, 2023, the public feedback period is open. Contractors can participate in the regulations that will ultimately be placed on them by leaving comments. Contractors should think about using NIST’s comment template when submitting comments, as well as making sure that information is provided in a systematic manner and feedback is accompanied by thorough justifications.


In conclusion, the updated guidelines from NIST bring a crucial spotlight on the security of sensitive unclassified information. By emphasizing risk assessment, access controls, encryption, and incident response, these guidelines provide a roadmap for enhancing cybersecurity practices. As a defense contractor, staying informed about these changes and implementing them effectively can help you stay ahead in the ever-evolving landscape of cyber threats. Remember, safeguarding sensitive information is not just a responsibility; it’s an essential step toward a safer digital future for your organization and its stakeholders. Talk to us today for a seamless NIST journey.