In December 2016, NIST released an updated version of NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” This revision comes through as many organizations were entering into their final year before the implementation deadline. For those organizations that were in the middle of their implementation, there should be a collective sigh of relief that the changes are no more extensive than they are.

In this analysis of the changes, they are broken down in 3 areas, Applicable Systems, System Security Plan and Other Changes. For many organizations, these changes will have minimal effect on their implementation plans. For every organization it is imperative that there be careful evaluation of all of the changes to determine their applicability to that organization.

APPLICABLE SYSTEMS

The biggest, most pervasive change with the December 2016 change to “Revision 1” is a scope change. The prior version had a more narrow view of what systems were affected under the standard. A large number of the requirements, under the older version, referenced the “information system”. For every reference to the “information system”, the word “information” has been deleted or replaced by “organizational”. The purpose of this change is to present a more wide-ranging scope of what is covered by those requirements.

The systems referenced under Revision 1 include things like:

• General purpose information systems,

• industrial and process control systems,

• cyber-physical systems, and

• IoT devices.

Most interpretations of the original NIST SP 800-171 did not include these elements. So, for many implementations these systems had been excluded from consideration. Now, it will be necessary to include these secondary systems into the evaluation of each requirement, especially the 43 requirements where the language was changed to specifically address this change of scope.

SYSTEM SECURITY PLAN

With this new revision, there is a clarification about what is to be done with the plans and procedures associated with the implementation of NIST SP 800-171. One requirement has been added:

3.12.4 – Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

Then in Chapter 3, there is a description of the System Security Plan (SSP). The SSP provides documentation of how the specified security requirements are met. This may include plans of action associated with any unimplemented requirements and the plans for mitigations.

The responsible federal agency or contracting officer may request the SSP. This document will provide evidence of your organization’s implementation and implementation plans for the NIST SP 800-171 requirements. The federal agencies may use the SSP as a major factor in assessing the risk associated with the handling of CUI on your systems. These risk assessments could affect contracting and award decisions.

The SSP can be in any format. The Plans of Action can be included in the SSP or be separate documents.

OTHER CHANGED REQUIREMENTS

Requirement 3.1.19 has been expanded. Where it previously required control of CUI on mobile devices, it now calls these “mobile computing platforms.” Those platforms are clarified in a footnote to include smartphones, tablets, E-readers and notebook computers.

Requirement 3.1.22 is now more specific. It had been addressing the control of information posted on publicly accessible sites, it now specifies that it is only concerned with CUI exposed to the public.

Requirement 3.5.10 has been given some greater clarity. This requirement said that the storage and transmission of encrypted representation of passwords were needed. Under revision 1, they now call for cryptographically-protected versions of passwords.

Requirement 3.8.4 was calling for the marking of media that contains CUI, but without any clear guidance of how what those markings consisted of. The new version has a modified footnote for this requirement which specifies that the media be marked in accordance with 32 CFR, Part 2002 and the CUI registry.

Requirement 3.11.2 required vulnerability scanning of systems and applications. Whereas the old requirement called for scans to be performed periodically and also as as new system vulnerabilities were identified, the newer version adds that scans should also be performed when new application vulnerabilities are identified.

Requirement 3.12.4 is new. The impact of this new requirement is discussed in the System Security Plan section of this document.

Requirement 3.13.12 disallows collaborative computing devices that can be remotely activated. In revision 1, there has been added a footnote to the term, “collaborative computing devices” which excludes dedicated video conferencing systems that rely on one of the participants connecting to the other party.

IN SUMMARY

The change in scope of affected systems, may create some stress in the event that the organization has systems that had been excluded from implementation plans prior to Revision 1. The need for the SSP likely just requires some consolidation and/or reorganization of documentation or might be as simple as changing the title of an existing document to “System Security Plan.” None of the other changes are going to be earth-shattering for most organizations.

Overall, while the new revision will require some degree of effort to make the updates, it is not a major change as compared to the effort to attain the original implementation.

Every organization is different. A change that one person interprets as requiring no effort in one organization, might be a major point of stress within a different organizational context. For this reason, each organization should carefully evaluate the changes to the requirements to determine the effect on that organization’s implementation of NIST SP 800-171.

For more information about implementation of NIST SP 800-171, go to http://nist-sp-800-171.com.