Spring Has Sprung New Cyber Requirements: NIST Unveils Draft Revision 3 to NIST SP 800-171
Client Alert | 2 min read | 05.12.23
On May 10, 2023, the National Institute of Standards and Technology (NIST) released a draft of NIST Special Publication (SP) 800-171 Revision 3, containing new and revised cybersecurity controls that, when finalized, will be required for federal contractors handling Controlled Unclassified Information (CUI).
NIST proposed five key changes to NIST SP 800-171:
- New controls and control families. Like Revision 2, NIST SP 800-171 Revision 3 contains 110 total security controls. However, in Revision 3, NIST deleted or consolidated older controls to make way for 26 new controls, including 3 new control families.
- Introduction of organization-defined parameters (ODP). NIST introduced ODP in select security controls, increasing flexibility by allowing federal agencies to specify values for designated parameters as needed. For example, Control 3.5.12, “Authenticator Management,” now allows agencies to define the authenticator refreshment time period or, if the agency prefers, require refreshment when an agency-defined event occurs.
- Increased specificity for security requirements. Revision 3 incorporates nuanced security requirements for the majority of its controls. For example, to comply with Revision 3’s Control 3.1.4, “Separation of Duties,” contractors will need to demonstrate that they:
a. identify the duties of individuals requiring separation; and
b. define system access authorizations to support separation of duties. - Updated tailoring criteria. NIST reduced the number of non-federal organization (NFO) controls from Revision 2, as industry feedback revealed that many NFO controls (e.g. AC-1, “Policies and Procedures”) were not being implemented or assessed.
- A prototype CUI overlay. NIST provided a draft CUI overlay spreadsheet along with Revision 3. The overlay describes how each control and control item in the NIST SP 800-53 moderate baseline—essentially, NIST SP 800-171’s parent standard—is tailored to protect CUI in NIST SP 800-171.
NIST is soliciting comments on Revision 3 through July 14, 2023. Any interested parties may email their comments to 800-171comments@list.nist.gov.
Contacts
Senior Counsel
She/Her/Hers
Insights
Client Alert | 6 min read | 05.02.24
DDTC Publishes Proposed ITAR Amendments to Enhance AUKUS Defense Trade
On May 1, 2024, the Department of State’s Directorate of Defense Trade Controls (DDTC) published a proposed rule that, if implemented, would streamline defense trade between and among Australia, the United Kingdom (UK), and the United States in furtherance of the trilateral security partnership (the “AUKUS” partnership). DDTC issued the proposed rule pursuant to new authorities and requirements contained in Section 1343 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2024 which, in part, directs the Department of State to immediately implement an International Traffic in Arms Regulations (ITAR) exemption, subject to certain statutory limitations, for the UK and Australia if State determines and certifies that each has implemented (1) a system of export controls comparable to those of the United States and (2) a comparable exemption from its export controls for the United States. According to DDTC, the proposed rule “prepare[s] for a future exemption” and solicits public feedback “to shape a final rule following any positive certification.”
Client Alert | 5 min read | 05.02.24
DOL Issues Final Rule Increasing Salary Threshold for FLSA Exemptions
Client Alert | 3 min read | 05.02.24
EEOC Publishes Final Rule Clarifying Critical Components of the Pregnant Workers Fairness Act
Client Alert | 2 min read | 05.02.24
False Claims Act Settlement Illustrates Value of Disclosure and Cooperation
