NIST 800-171 Rev2 & NIST 800-171B

Posted by ComplianceForge on Jun 19th 2019

The draft of NIST 800-171 rev2 was released today. Most importantly, there are no changes to the controls (e.g., basic and derived security requirements in chapter 3) from NIST 800-171 rev 1. However, NIST did state that when NIST 800-53 rev5 is released, NIST will provide a comprehensive update to NIST 800-171 that will including updates to the basic and derived requirements. This NIST 800-171 rev3 will include modified control families, privacy integration, and make other conforming edits that are necessary. 

A draft of NIST 800-171B was also released, which is focused on protections against Advanced Persistent Threats (APTs). The numbering of these "enhanced" controls will end up being confusing, since NIST has chosen to use the name numbering format from NIST 800-171, but simply adds a lowercase "e" to the end of the control (e.g., 3.1.1e, 3.1.2e, 3.1.3e, etc.). 3.1.1 from NIST 800-171 is a completely different control from 3.1.1e in NIST 800-171B, so you can see how that can get confusing. The only similarity is those controls share the 3.1 Access Control family.

Based on the long history of delays from NIST, we do not expect to see the final version of NIST 800-53 rev5 before late 2019, at the earliest. Given that, the earliest expectations for NIST 800-171 rev3 will be sometime in 2020.