NIST 800-171 Revision 3: The Impact on CMMC Compliance and How To Get Ready

If you are a company that holds a contract with the DoD and handles CUI, you are probably very familiar with the NIST 800-171 since compliance became mandatory in 2017.  

The NIST CUI series was developed by the National Institute of Standards and Technology to help protect CUI in nonfederal systems. The 800-171 standard, specifically, established guidelines to protect controlled unclassified information (CUI) handled by contractors and subcontractors that engage with federal agencies. NIST 800-171 derives requirements from FIPS 200 and NIST SP 800-53 but has tailored these requirements to specifically address the protection of CUI in nonfederal information systems.

NIST 800-171 Revision 3: The Impact on CMMC Compliance and How To Get Ready

What is CUI?

CUI stands for Controlled Unclassified Information. CUI is defined as government-related information that needs to be protected and transmitted using controls compatible with government laws, regulations, and policies. 

The NIST CUI Program was established to standardize the way the government and its contracted companies handle information that requires protection and is not classified. The program was introduced with Obama’s Executive Order 13556 in 2010 to create a streamlined process for information sharing and safeguarding of controlled unclassified information.

What is the CMMC?

The CMMC program mandates security requirements for the huge scope of organizations that comprise the Defense Industrial Base (DIB). The CMMC is essentially a verification mechanism to ensure that companies within the DIB implement proven cybersecurity practices to protect CUI. Based on the NIST 800-171, CMMC requirements are divided by maturity levels to better align with various levels of protection needed in different businesses. The need for both the CMMC NIST 800-171 is explained in the next section.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Learn more about how to be compliant with NIST 800-171 Revision 3

Why Does the DIB Need to Comply With the CMMC and NIST 800-171?

The need for the NIST 800-171/CMMC double-pronged approach is easily explained, although it’s not so easily implemented in practice. 

NIST is a national organization that develops measurable standards in different economic sectors. They are not a regulatory body, and cannot enforce their standards. The CMMC is the mandated framework that requires the DIB to comply with NIST CUI standards.

Getting Ready for Spring

The final version of the CMMC 2.0 is scheduled to be released this Spring. According to the current draft of CMMC 2.0, contractors will need to be certified by a CMMC Third-Party Assessment Organization for Level 2 and Level 3 by the end of 2025 to contract work with the department of defense or to continue doing business with the department.

The CMMC certification is an entrance exam of sorts that a contractor must pass to even attempt to bid on a government contract.  To date, the CMMC 2.0 includes the complete requirements outlined in the NIST 800-171 for Level 2 CMMC certification which is the CMMC category level that a majority of companies in the DIB (Defense Industrial Base) fall into. 

In the CMMC 1.0, NIST 800-171 enforcement was a matter of self-attestation. But the DoD will be cracking down on this policy which was being neglected by DoD contractors, especially in smaller companies, and is ratcheting up the certification process with C3PAOs (CMMC Third Party Assessor Organization) and the DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) under the soon-to-be-released CMMC 2.0.

This major shift of policy in requiring a third-party audit to ensure compliance with the NIST 800-171 is because both contractors and contracting officers have been “lackadaisical” about meeting the standards set by NIST SP 800-171 when they were trusted to reach the standard by their own attestation.

As the new CMMC is set to go into effect next spring, it’s as good a time as ever to start getting things in order to be in compliance with the 110 NIST 800 171 controls.

The NIST CUI Series is Going Toward Revision 3

To add a twist to the narrative, in the Summer of 2022, NIST announced that they are planning to revise the NIST 800-171 over the next 18 months.  Later in 2022, NIST announced their plan to release an initial draft of 800-171, Revision 3 in late Spring 2023. That coincides head-on with the anticipated CMMC 2.0 final publication. 

NIST’s Victoria Pillitteri provided a preview of what to expect in the NIST revision at a CMMC conference in May 2022.  She also called for comments from users and assessors of the CUI series to provide insight and feedback even before a third revision draft is drawn.

She said “the intention” is for NIST to learn from the stakeholder community “on how to improve and better streamline these resources so they are more usable and more effective and ultimately they increase how we implement cybersecurity and improve the outcomes.”

DIB businesses that have not yet implemented NIST 800-171 should take note of this because they will probably need to adopt extra controls with the anticipated third revision of the CUI series. The revision from NIST, however, is unlikely to have an impact on CMMC 2.0 early adopters who are fully prepared for assessments soon after the CMMC 2.0 rollout.

As of yet, there is no long-term timeframe for the expected rollout of NIST 800-171 Revision 3.

NIST CUI Series Revision & Impact on the CMMC

To date, businesses in the DIB should work on achieving compliance with the existing NIST 800 171 Rev 2 standard. Although changes are expected in the third revision, if your company receives a CMMC certification prior to the anticipated Revision 3 update to NIST 800-171, you will only need to meet the requirements in the current standard, NIST 800-171 Rev 2. As mentioned earlier, it is fair to assume that early adopters of the CMMC 2.0 are unlikely to be affected by the third revision of the NIST 800-171.

Centraleyes Releases the CMMC 2.0 Framework 

Centraleyes is excited to announce that our platform is upgraded with the new CMMC version 2.0 as part of our extensive framework library. Centraleyes has mapped the new CMMC version to update the existing framework and reflect the changes in the maturity levels.

Are You Mandated By the CMMC 2.0?

The Department of Defense (DoD) created the DOD CMMC certification protocol to ensure that contractors have the safeguards in place to protect confidential data such as Federal Contract Information and Controlled Unclassified Information (CUI).

Organizations that wish to do business with the US Department of Defense must comply with CMMC. The new revision requires third-party verification of contractor system security and demands that all third-party companies in their supply chain handle their partners with the same diligence.

The Centraleyes platform eases the process of meeting CMMC compliance by using an integrated and newly updated CMMC version 2.0 questionnaire with an easy-to-follow system to help track and close vulnerable areas.

The platform also allows users to start an assessment around the NIST 800-171 framework while walking you through all the requirements that need to be met for this prerequisite.

Centraleyes enables organizations to exchange data across various standards and frameworks, saving time and money and allowing for more accurate and reliable data.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Does your company need to be compliant with NIST 800-171 Revision 3?
Skip to content