The National Institute of Standards and Technology (NIST) developed the NIST 800-171 framework to set guidelines and security requirements for protecting controlled unclassified information (CUI). NIST first created the framework in June 2015 but has since revised the publication several times, most recently in November 2023.
NIST’s latest revision, known as NIST 800-171 Revision 3, includes significant updates to the publication’s control families, security controls (formerly NFOs), tailoring criteria, and organization-defined parameters (ODPs). Revision 3 notably requires organizations to comply with stringent third-party risk management (TPRM) requirements, including the implementation of risk assessment workflows, continuous monitoring, and additional strategies related to supply chain risk management (SCRM).
Keep reading to learn what your organization needs to do to comply with the latest revision of NIST 800-171, and discover how UpGuard can help you on your journey to becoming NIST compliant.
What is NIST Special Publication 800-171?
The UpGuard cybersecurity blog includes a comprehensive overview of NIST SP 800-171 and a free NIST 800-171 compliance checklist. Reading these resources is the best way to get acquainted with the details of the publication, as this article will strictly touch upon the updates included in Rev. 3 (as well as how these updates impact organizations that were previously compliant with NIST 800-171 Rev. 2).
Here is a quick refresher on the critical components of NIST 800-171:
- Focuses on protecting CUI in nonfederal systems and organizations
- Provides federal agencies baseline strategies to safeguard the confidentiality of CUI
- Covers 17 control families across topics such as access control and identification and authentication
- All Department of Defense (DoD) contractors must comply with NIST (DFARS 252.204-7012)
- Often compared to the Cybersecurity Maturity Model Certification (CMMC)
Why is NIST SP 800-171 Revision 3 Important?
The latest NIST SP 800-171 revision is critical because it imposes stringent TPRM requirements on all government contractors and associated vendors that handle federal information. In total, Revision 3 of the publication includes 17 new requirements previously not included in Revision 2.
NIST has created several supporting documents to accompany the publication, including a detailed analysis of NIST 800-171 that tracks all significant changes (including discussion section formatting and changes in methodology) made between Rev. 2 and Rev. 3. and a prototype CUI overlay.
When Will NIST SP 800-171R3 be Finalized?
Organizations affected by the latest NIST 800-171 revision must act quickly to implement solutions before NIST finalizes the document and compliance is required. NIST aims to complete the document within the first half of 2024, while the institute will conduct formal assessments and audits by early 2025.
NIST released the initial public draft (IPD) of Rev.3 on May 10, 2023. After publishing the IPD, the institute held a public comment period to field changes before releasing the final public draft (FPD in November 2023.
What are the TPRM Requirements of NIST 800-171 Rev. 3?
The TPRM requirements of NIST 800-171 Rev. 3 are vast and may challenge even the most prepared organizations. If your organization is scrambling to expand its risk management program, this is the best plan of action:
Start by developing an understanding of the latest NIST requirements, then assess your TPRM processes against these requirements to identify any compliance gaps in your program. Finally, address these gaps and implement strategies to elevate your TPRM program and fully adhere to the latest specifications of NIST 800-171.
The most critical TPRM requirements of NIST 800-171 Rev. 3 include:
- 3.11.1 - Risk Assessment: Requires organizations to assess the risks of processing, storing, or transmitting CUI and update risk assessments periodically
- 3.11.2 - Vulnerability Monitoring and Scanning: Requires organizations to monitor and scan for vulnerabilities and remediate identified vulnerabilities
- 3.12.2 - Plan of Action and Milestones: Requires organizations to create a plan of action to correct deficiencies and eliminate vulnerabilities
- 3.12.3 - Continuous Monitoring: Requires organizations to install ongoing monitoring and security assessments to secure their system
3.11.1 Risk Assessment
The risk assessment requirements of NIST 800-171 make it necessary for organizations that process, store, or transmit CUI to develop workflows to assess the risks associated with their operation. An organization’s risk assessments must evaluate first-party and third-party risks, including supply chain and vendor compliance risks. The organization is also responsible for updating these risk assessments periodically to keep up with information system changes and supply chain expansions.
How Can UpGuard Help with Risk Assessments?
UpGuard Vendor Risk has helped hundreds of organizations streamline their vendor risk assessment process. Our solution provides access to custom risk assessments tailored to an organization’s vendor relationships and specific risk exposure.
By using UpGuard Vendor Risk to elevate your vendor security assessment process, your organization can:
- Eliminate the need for lengthy, error-prone spreadsheet-based assessments
- Gather evidence and remediate or waive risks all in the same easy-to-use workflow
- Reduce the time it takes to assess a new or existing vendor
- Comply with the risk assessment requirements of NIST 800-171
3.11.2 Vulnerability Monitoring and Scanning
NIST 800-171 now requires applicable organizations to install ongoing vulnerability monitoring and scanning strategies into their TPRM program. These requirements also force organizations to remediate known vulnerabilities promptly and update the scope of their vulnerability monitoring system to scan for new vulnerabilities as they are identified and reported.
How Can UpGuard Help with Vulnerability Monitoring?
UpGuard’s cybersecurity solutions grant organizations peace of mind by monitoring their external and third-party attack surfaces for vulnerabilities. Organizations that utilize UpGuard for vulnerability monitoring will:
- Gain confidence in their cybersecurity program
- Ensure continuous monitoring across digital assets and third-party vendors
- Gain total visibility over external assets, known and unknown
- Safeguard their brand’s reputation
- Comply with the vulnerability monitoring requirements of NIST 800-171
3.12.2 Plan of Action and Milestones
The latest NIST 800-171 revision requires government contractors to develop risk remediation and vulnerability management workflows. More specifically, organizations must create a plan of action and milestones for their internal system that documents remediation actions and eliminated vulnerabilities. Organizations must also update this plan with relevant findings from security assessments, independent audits, or monitoring activity.
How Can UpGuard Help with Remediation Workflows & Reporting?
UpGuard Vendor Risk eliminates the pain of chasing vendors to remediate risks by preparing custom remediation plans based on relevant vendor risk assessments and industry best practices. UpGuard’s Reports Library also makes it easy for organizations to keep stakeholders informed with easy-to-use, fast, and customizable reports.
By using UpGuard’s remediation and reporting solutions, your organization will be able to:
- Save time and deploy security resources more efficiently
- Track the remediation process and record when vendors complete remediation
- Develop custom compliance and remediation reports
- Improve your security posture and rating
- Comply with the plan of action requirements of NIST 800-171
3.12.3 Continuous Monitoring
Organizations are now required to install continuous monitoring strategies to achieve compliance with NIST 800-171. These strategies must include ongoing monitoring processes and relevant security assessments.
How Can UpGuard Help with Continuous Monitoring?
UpGuard empowers organizations to take control of their security posture by identifying vulnerabilities, detecting changes, and uncovering potential threats and vulnerabilities 24/7.
By using UpGuard for TPRM and attack surface management, your organization will be able to:
- Constantly monitor and manage exposures across your supply chain
- Proactively identify and prioritize vendor vulnerabilities for remediation
- Make informed risk decisions based on accurate, real-time insights
- Comply with the continuous monitoring requirements of NIST 800-171
How UpGuard Helps Organizations Comply with NIST SP 800-171A Rev.3
UpGuard offers comprehensive cybersecurity solutions that enable organizations to elevate their TPRM, ASM, and SCRM programs and functions and achieve compliance with significant frameworks, including NIST SP 800-171.
The UpGuard toolkit includes the following features and solutions:
- Continuous monitoring: Get real-time updates and manage exposures across your attack surface, including domains, IPs, apps, endpoints, plugins, and firewalls
- Attack surface reduction: Reduce your attack surface by discovering exploitable vulnerabilities and domains at risk of typosquatting
- Shared security profile: Create an UpGuard Shared profile to eliminate the hassle of answering security questionnaires
- Workflows and waivers: Streamline remediation workflows, quickly waive risks, and respond to security queries
- Reporting and insights: Access tailor-made reports for stakeholders, contracting officers, and executives, and view information about your external attack surface
- Vendor Security questionnaires: Automate security questionnaires to gain deeper insight into your vendor relationships and security posture
- Security ratings: Appraise the security posture of individual vendors by using our data-driven, objective, and dynamic security ratings
- Risk assessments: Streamline risk assessment workflows, gather evidence, and quickly request remediation