In June, the NIST 800-171 revision 2 draft was released to the public for evaluation and here at Stronghold Cyber Security, we have performed dozens of NIST 800-171 assessments for DoD contractors of every type and size, all over the United States. These companies have ranged from a small excavator in the Midwest, to massive multinationals with thousands of employees. Point being, we have really been in the trenches with helping our clients control their CUI (Controlled Unclassified Information). Our NIST 800-171 assessment process is different in that firstly, it was built upon lessons learned about maintaining actual classified networks for the DoD itself. We use the DSS (Defense Security Service) SSP (System Security Plan) as the format for our own clients’ SSP’s, because this format is simple and highly maintainable. Secondly, ALL of our assessments include a live network vulnerability assessment, which entails host discovery, host analysis, credentialed patch audits of both the OS and third party software, plus policy compliance audits.
The initial deadline for DoD contractors to comply with DFARS 7012 was 31 December 2017, and changes to not only the NIST 800-171 framework but the general process of controlling CUI are well underway. In a few years’ time cybersecurity in the DoD supply chain is going to look like what ISO 9000 does today – mature, homogeneous, and ubiquitous.
To that end, the draft of NIST 800-171 revision 2 has been published and is under review, with commentary accepted, and having been extended to, Friday, August 2, 2019. Interestingly, this particular revision is pretty much a nothing burger, and there are no substantive changes nor any changes to the requirements themselves. The NIST 800-171 revision 2 draft itself states:
“This update provides minor editorial changes in Chapter One, Chapter Two, and the Glossary, Acronyms, and list of References. There are no changes to the basic and derived security requirements in Chapter Three.”
So, for those companies that have a written contractual obligation to comply with NIST 800-171, they should be good to go – for now.
Another development we are tracking for our clients is the recent draft publication of NIST SP 800-171B – Enhanced Security Requirements for Critical Programs and High Value Assets. It goes without saying that not all information is of equal value to our nations adversaries – they are going to be more interested in stealing the designs for F-35 parts than excavation plans. We suspect that 800-171B is going to serve as a stop gap to protect high value information. NIST 800-171B is quite rigorous and contains 33 enhanced controls in addition to the requirements of 800-171 itself. If your company is going to be required to comply with NIST 800-171B and you are still not there with the initial 110 controls, DO NOT put your cybersecurity initiatives any further – the time for real action on this has already passed.
We’ll do a deep dive on 800-171B in a subsequent post.