Final Version of NIST SP 800-171, Revision #1
29 Dec 2016 — we were recently notified of an update to (ever-changing) NIST 800-171. As is the norm with regulations like this, regular updates are to be expected, but an update this late in the game is something you should be aware of and planning for.
NIST released the summary of changes and final version of SP 800-171, Revision #1 on December 20th. SP 800-171 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, is the significant NIST Special Publication document regarding implementation of DFARS (252.204-7012) requirements for defense contractors, mandated by December 31st 2017. The draft version of this document was released in August of 2016 for comments. The first version of SP 800-171 was released in June of 2015 and updated in January of 2016. While many changes to this latest version are simple verbiage changes, a major addition in the draft, and now final publication, is the requirement for System Security Plans (SSP).
SSPs are a common artifact on contractor and government classified networks, but they have never been mandated on the unclassified networks.
While this is certainly good from a holistic IT security perspective, it will be an additional burden for organizations of any size. The format and level of detail is not specified in the requirement, but it is noted that the plan should include…:
Descriptions of system boundaries, nature and operation of the system(s), how security is implemented, and connections to other systems.