Request Demo

DFARS, NIST Cybersecurity Framework

What To Expect From The Imminent Revisions To Two Of NIST's Most Popular Frameworks

down-arrow

While the NIST Privacy Framework may be the headliner for the most anticipated new publication from the National Institute of Standards and Technology, there are two imminent revisions that security teams are expecting that could have a greater impact: SP 800-171 Rev 2, and SP 800-53 Rev 5.

SP 800-171 Rev 2

NIST SP 800-171 is a part of the DFARS mandate that rolls out of to the entire Department of Defense supply chain. Specifically, 800-171 is a collection of controls designed for the proper handling of controlled unclassified information (CUI). The first revision was rolled out in early 2018 and according to Ron Ross, NIST cybersecurity fellow, the catalyst for another revision was apparent: the DoD approached NIST regarding a revision at the end of last year following scathing reports on the DoD’s cybersecurity posture. With the increase in cyber attacks from nation-state actors and the expansion of the government supply chain, the need for a more comprehensive approach was apparent.

Specifically, contractors that fall under the DFARS mandate can expect to see an expansion of the controls included in 800-171 Rev 2. From what we’ve heard, it would appear that NIST is adding a new layer of controls and protocols on top of the existing requirements. This new layer, though, will be optional in some cases. What this indicates is that the term CUI has more than one subset of within that classification. The new layer will be required in certain cases based on the type of information that’s in question. We have not been able to ascertain who will be the discretionary body determining when the additional layers of controls are necessary, though.

The revision of 800-171 is a part of a greater overhaul of the DoD’s approach to cybersecurity, especially on the smaller contractor level.

“Our large primes are very savvy,” she [Ellen Lord] said. “They have the funds to create hardened environments. What I’m concerned with is, especially, the small companies who our innovation comes from, where when we sit down and talk to them about cybersecurity, we sometimes hear, no kidding, ‘My nephew does my cybersecurity.’ That gets us a little bit worried.”

The concern for the DoD, and the federal government as a whole is the age old dilemma of balancing innovation and its inherent risks with remaining secure. Alongside revisions to 800-171, they are exploring the development of a secure cloud that smaller contractors can build into which will meet the DFARS requirement for CUI.

What we will be interested to see if how this revision rolls up into the expansion of 800-171 from a DFAR to a FAR, which is anticipated by the end of the year.

SP 800-53 Rev 5

The fifth revision to SP 800-53 is another widely anticipated update from NIST. Ross alluded to integration of privacy controls, new supply chain controls, new cyber resiliency controls, and new systems engineering controls and processes.

Ross spoke about the increase in cyber attacks and the ever blurring of the lines between digital physical as the rationale for reworking 800-53. Alongside the external forces, this revision rolls up into a greater endeavor from the standards institute - something that Ross has coined FISMA Vision 2020, an overhaul of the FISMA requirements with the headlining action being the retirement of 800-53 Rev 4 for the new revision.

The Bottom Line

As we’ve seen with a slew of new executive orders, Congressional concern over the nation’s cybersecurity posture, and the national budget, the government is increasingly concerned over our nation’s cybersecurity posture (and rightly so). These revisions, alongside the release of the new Privacy Framework, mark a renewed commitment to the nation’s cyber integrity.

For organizations that fall under the DFARS mandate or have requirements to meet 800-53 compliance, remember these revisions are iterations and the best thing to do is start today. The greatest strategy for navigating the rapidly evolving realm of security compliance is to get ahead with a strong strategy that is not reactionary.

 

You may also like

Why GRC Needs IRM
on August 7, 2019

Today, every organization strives to optimize the speed with which they access information. Data is being stored, processed, transmitted and utilized in almost every day-to-day ...

Alison Furneaux
SSP and POAM Guidance for DFARS ...
on July 24, 2019

Defense federal acquisition regulation supplement (DFARS) Compliance has been top of mind for Prime contractors as well as Department of Defense (DoD) suppliers since before the ...

Alison Furneaux
Integrated Risk Management Magic ...
on July 17, 2019

It has been roughly one year since Gartner released the 2018 Magic Quadrant for Integrated Risk Management, the first of its kind, and as of this week the second Integrated Risk ...

Alison Furneaux
"Glass-box" Solutions Are Critical ...
on July 11, 2019

With the likes of Equifax and Marriott, it is no secret that cybersecurity has made its way into the Boardroom. While many executives are experienced in managing myriad business ...

Reading Between the Lines of NIST ...
on July 9, 2019

On June 19th, the National Institute of Standards and Technology (NIST) released the much anticipated Rev 2 of SP 800-171 and the working draft of supplement SP 800-171B. As the ...

How We're Making DFARS Compliance ...
on July 2, 2019

With the Department of Defense (DoD) making DFARS compliance a requirement for all contractors doing business with the DoD, a great amount of stress has been put on DoD ...