SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

NIST SP 800-171 R3: An Overview of the Changes

Federal Assessments | CMMC

In the latest revision of documents pertinent to the ongoing CMMC countdown, NIST SP 800-171 R3 has been released. Though there were only a handful of changes in this new version, there were some significant ones regarding the assessment practices and their presentation that those monitoring the progress of CMMC should know.

Why these changes? At a high level, NIST endeavors to eventually align the 800-171 model to 800-53, but as the latter framework is notably more involved than the former, to maintain the spirit of 800-171 and the protection of Controlled Unclassified Information (CUI), NIST 800-171 will essentially become a subset overlay to NIST 800-53 (in the future).

That’s why the assessment practices are changing somewhat in this latest revision—in many cases, organization-defined parameters (referred to as “ODP” in the new NIST documentation) are being added to increase flexibility and help organizations better manage risk. Several practices are also being removed or consolidated, while some altogether new practices are being added.

As one of the foremost C3PAOs on the market that has kept close tabs on the progression of the CMMC program, we’re going to break down the changes in NIST SP 800-171 R3 by family. Though more changes will surely come eventually, with this information, you’ll be able to go ahead and get started tailoring your approach.

 

NIST SP 800-171 R3 Updates

NIST SP 800-171 R3 Practice Family Changes

As it relates to the assessment practices, R3 has added, removed, and consolidated many of the practices from Revision 2. These changes to the assessment practices are summarized by practice family as follows:

Practice Family

Changes

3.1

Access Control

Consolidated:

  • 3.1.13, 3.1.14, and 3.1.15 (Remote Access) into 3.1.12
  • 3.1.17 (Wireless Access Protection) into 3.1.16
  • 3.1.19 (Mobile Device Protection) into 3.1.18

Added:

3.1.23 added to address session logout following a period of inactivity—this new practice is essentially an extension of previously existing practice 3.1.11.

3.4

Configuration Management

Consolidated:

3.4.7 (Prevention of Non-Essential Functionality) into 3.4.6

3.5

Identification and Authentication

 

Withdrawn:

  • 3.5.6 (Disabling Identifiers After a Period of Inactivity)
  • 3.5.8 (Password Reuse)

Consolidated:

3.5.9 and 3.5.10 (Temporary Passwords and Password Encryption) into 3.5.7

Added:

3.5.12 (Authenticator Management) regarding controls for managing authenticators which had previously been covered under other practices.

3.7

Maintenance

 

Withdrawn

3.7.1 (Performance of System Maintenance) has been reclassified as NCO (or, not directly related to protecting the confidentiality of CUI).

Consolidated:

  • 3.7.2 (Control of Tools, Techniques, Mechanisms, and Personnel Within The Performance Of Maintenance) into 3.7.4 and 3.7.6
  • 3.7.3 (Sanitization of Disposed Equipment) into 3.8.3

3.8

Media Protection

Consolidated:

  • 3.8.6 (Media Accountability) into 3.8.5
  • 3.8.8 (Use of Portable Storage Devices) into 3.8.7

3.10

Physical and Environmental Protection

 

Consolidated:

3.10.3, 3.10.4, and 3.10.5 (Facility Access by Visitors) have all been incorporated into a new practice, 3.10.7 for Physical Access Control.

Added:

3.10.8 (Physical Access to Transmission Lines (e.g., network cables and devices, etc.) and Output Devices (e.g. printers, scanners, etc.).

3.11

Risk Assessment

Consolidated:

  • 3.11.3 (Vulnerability Remediation) into 3.11.2

Added:

  • 3.11.4 (Response from Risk Assessments)

3.12 

Security

Assessment

Consolidated:

  • 3.12.4 (Creation and Management of the System Security Plan) into 3.15.2

Added:

  • 3.12.5 (Independent Assessment): Addresses the potential conflict of interest that might exist when an organization’s system management and security controls would be assessed by the same individuals who are managing them—now, independent assessors are required to evaluate those controls.
  • 3.12.6 (Information Exchange): Requires the documenting and secure managing of the exchange of CUI between organizations (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual).
  • 3.12.7 (Internal System Connections): Deals with the authorization and periodic review of intersystem connections within an organization.

3.13

System and Communications Protection

Consolidated:

  • 3.13.2 (Use Of Architectural Designs, Software Development Techniques, and Systems Engineering Principles to Promote Effective Security) into 3.16.1
  • 3.13.5 (Subnetting Publicly Available Network Segments) into 3.13.1
  • 3.13.16 (Protection of CUI at Rest) into 3.13.8

Withdrawn

3.13.14 (Control of VoIP Technologies), as it represents a technology-specific practice.

Added:

  • 3.13.17: Addresses the protection of internal network traffic routing to external points over a designated proxy server.
  • 3.13.18: Regards control access points into the system and incorporates portions of the former 3.1.14

3.14

System and Information Integrity

Consolidated:

  • 3.14.4 and 3.14.5 (Updating Malicious Code Mechanisms and Scanning of Systems) into 3.14.2
  • 3.14.7 (Identification of Unauthorized Systems) into 3.14.6

Added:

3.14.8: Addresses the control of spam or unsolicited email messages.

 

New Families in NIST SP 800-171 R3

Aside from these changes, some entirely new practice families were also added to ensure a more comprehensive assessment, changing the total number of families to be assessed from 14 to 17. Those three new families are:

  • 15 – Planning
  • 16 – System and Services Acquisition
  • 17 – Supply Chain Risk Management

New Practice Family

Includes:

3.15

Planning

  • 3.15.1 (Policy and Procedures): States that an organization must develop and document the policies and procedures associated with achieving compliance with 800-171 and that those documents are routinely reviewed and updated.
  • 3.15.2 (System Security Plan): Not a “new” practice so much as it is a housekeeping item that has moved this requirement from 3.12.4.
  • 3.15.3 (Rules of Behavior): Requires that the organization define rules describing the responsibilities and expected behavior regarding usage and the handling of CUI for individuals requiring access to the system.

3.16

System and Services Acquisition

  • 3.16.1 (Security Engineering Principles): Specifies that an organization apply systems security engineering principles in the specification, design, development, implementation, and modification of the system and system components, including tactics such as:
    • Layered protections in development
    • Security policies, architecture, and controls as the foundation for design
    • Incorporation of security requirements into the system development life cycle
    • Physical and logical security boundaries
    • Training for developers on how to build trustworthy secure software
  • 3.16.2 (Unsupported System Components): Stipulates that the organization must replace system components that are no longer supported by the developer, vendor, or manufacturer, or provide options for alternative sources for continued support for unsupported components.
  • 3.16.3 (External System Services): Requires that any providers of external system services comply with the organization's security requirements, with documentation and ongoing oversight for those external services.

3.17

Supply Chain Risk Management

  • 3.17.1 (Supply Chain Risk Management Plan): Requires a plan for managing supply chain risks associated with the development, manufacturing, acquisition, delivery, operations, maintenance, and disposal of the system, system components, or system services.
  • 3.17.2 (Acquisition Strategies, Tools, and Methods): Instructs the organization to develop and implement acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks.
  • 3.17.3 (Supply Chain Controls and Processes): Requires that the organization define processes for identifying and addressing weaknesses or deficiencies in their supply chain and employ controls to protect those risks, thus limiting the harm or consequences from supply chain disruption.
  • 3.17.4 (Component Disposal): An extension of 3.8.3 concerned with the disposal of media containing CUI, expands the scope to include the disposal of system components, documentation, or tools containing CUI.

Though R3 essentially retains all of the practices from Revision 2, because redundant practices have been removed and related practices are being consolidated into single practices as distinct assessment objectives—together with the families and practices that are being added—the overall scope of a R3 assessment will increase relative to Revision 2. R3 still has a total of 110 practices with which an organization subject to NIST 800-171 must comply.

What to Expect From NIST SP 800-171 Moving Forward

Up-to-date information concerning developments in NIST SP 800-171 R3 is available at the NIST website, along with other resources that provide further detail concerning the changes that are taking place, including tools to help organizations assess the impact of Release 3 on their compliance initiatives.

We encourage any organization with questions to contact us so that we may discuss your options for achieving compliance with NIST 800-171 requirements. In the meantime, make sure to check out our other in-depth content that can help you get ready for CMMC:

About Todd Connor

Todd Connor is a Senior Associate with Schellman based in Jacksonville, FL. Prior to joining Schellman in 2022, Todd worked as a technology manager for a maritime shipping company responsible for architecting and developing their NIST / CMMC compliance program. Todd has over twenty years of information technology leadership experience across various industries including transportation & logistics, pharmacy benefits management, retail pharmacy and big-box retail, during which time, he has been responsible for responding to NIST 800-171, HIPAA, PCI, ISO and Sarbanes Oxley audits. Todd is now focused primarily on Schellman’s FedRAMP practice, specializing in CMMC compliance for organizations across various industries.