Impact of NIST SP 800-171 Rev. 3 on CMMC and Related Programs

Introduction:

NIST SP 800-171 Rev. 3 is coming, and it is important for organizations that handle Controlled Unclassified Information (CUI) to understand the impact it will have on their compliance obligations. In this blog post, we will discuss the key changes in Rev. 3, the potential impact on CMMC, and what organizations can do to prepare.

Key changes in NIST SP 800-171 Rev. 3:

  • 3 merges several existing requirements, which can help to streamline compliance efforts. For example, requirements 3.1.18 and 3.1.19 have been merged into a single requirement, 3.1.18, which now requires organizations to implement a risk management framework.
  • 3 clarifies many of the existing requirements, which can help to reduce confusion and ensure that organizations are implementing them correctly. For example, requirement 3.1.24, which requires organizations to implement continuous monitoring, has been clarified to explain what types of activities should be included in continuous monitoring.
  • Addition of brand-new requirements:
    • Supply chain risk management: 3 requires organizations to implement a supply chain risk management program to identify, assess, and mitigate risks associated with their suppliers.
    • Multi-factor authentication (MFA): 3 requires organizations to implement MFA for all privileged accounts.
    • Software development security: 3 requires organizations to implement a software development security program to ensure that security is considered throughout the software development lifecycle.

Potential impact on CMMC:

CMMC is a cybersecurity certification program developed by the Department of Defense (DoD) to protect CUI. The CMMC requirements are based on NIST SP 800-171, but they are more stringent in some areas.

It is likely that DoD will eventually update the CMMC requirements to align with NIST SP 800-171 Rev. 3. However, it is unclear when this will happen. In the meantime, organizations that are seeking CMMC certification should comply with the current CMMC requirements, which are based on NIST SP 800-171 Rev. 2.

What organizations can do to prepare:

Organizations can start preparing for the impact of NIST SP 800-171 Rev. 3 now by:

  • Reviewing the changes in Rev. 3: Organizations should review the changes in Rev. 3 to identify any new or updated requirements that they will need to implement.
  • Assessing their current compliance posture: Organizations should assess their current compliance posture to identify any gaps that they need to address in order to comply with Rev. 3.

Related Posts

Scroll to Top