NIST 800-171 R3 Ghost Controls

What are “ghost controls” in NIST 800-171 R3? A ghost control is a legacy control that does not exist in NIST 800-171 R3 that is still reasonably required to demonstrate compliance.

There are several aspects of NIST 800-171 R3 Final Public Draft (FPD) that leave significant assumptions. In order to address the actual compliance requirements, there are “ghost controls” that organizations will need to reasonably be able to demonstrate.

In NIST 800-171 R3 FPD, there are quite a few ghost controls:

• 3.2.1 & 3.2.2 require user-level training, but NFO AT-4 (Training Records) was removed. The ability to demonstrate that training was performed is by producing evidence of individual training records, so technically AT-4 still exists as a ghost control.
• 3.2.2 requires role-based training, 3.9.2 requires permission modifications for when individuals change roles and 3.15.2 requires Rules of Behavior (RoB) for handling CUI, but there is no requirement for an organization to formally-assign individuals to roles or even define roles. There are many assumptions around Human Resources (HR) practices that do not have explicit controls within NIST 800-171 R3 FPD. Reasonable expectations such as Non-Disclosure Agreements (NDAs), formally-assigned roles & responsibilities, employee investigation practices, background check requirements, etc. are ghost controls.
• 3.4.10 requires a system component inventory, 3.4.11 requires information location to be defined and 3.17.1 requires a Supply Chain Risk Management (SCRM) Plan, but there is no requirement to maintain an inventory of External Service Providers (ESP). Having a comprehensive inventory of ESPs and associated Data Flow Diagrams (DFDs) are ghost controls.
• 3.4.12 requires specific configurations for “high-risk areas” but lacks any definition of what a high-risk area is. As written, the control could mean a system deployed to a DMZ architecture or it could also mean an individual traveling to China. Defining “high-risk areas” for an organization is a ghost control.
• 3.7.4 requires control of maintenance tools, 3.7.5 requires control of non-local maintenance and 3.7.6 requires control of maintenance personnel, but there is no requirement to actually perform maintenance. NIST 800-171 R3 FPD recategorized the requirement for actually perform maintenance as a NCO control. However, performing maintenance is still required, since 3.11.2 and 3.14.1 still requires maintenance activities to be performed for flaw remediation. This means that having some form of maintenance program is a ghost control.
• 3.10.6 addresses physical security requirements for “alternate work sites” but not for remote workers whose primary place of business is their home. Technically, a 100% remote worker who works from their kitchen table or home office is working in their primary (assigned) place of business, not an alternate. An “alternate work site” would mean working from a conference room, airport lounge, coffee shop, etc. Having this clarification for remote workers is a ghost control.
• 3.16.2.b requires that options are provided for risk mitigation, which describes a compensating control. However, there are no controls in the risk assessment (3.11) section that describes acceptable methods of risk mitigation. A process to identify and validate compensating controls is a ghost control (e.g., mitigating risk associated with VDI).
• There are multiple controls that require the implementation of “secure engineering practices” to securely implement technical solutions. However, 3.13.2 that actually requires secure architectures, development practices and secure engineering principles was recategorized as a NCO control. Having secure engineering practices is a ghost control.?

When you get to sections 3.16 (acquisition process) and 3.17 (supply chain risk management), those are more than just ghost controls, since those require their own program-level documentation to exist to demonstrate compliance with how acquisition is being performed and security is being enforced across the supply chain. Those are "nested programs" that will have documentation expectations that exist outside of just policies, standards and procedures (e.g., like an Incident Response Plan (IRP)).

NIST 800-171 R3 Will Require Documentation Changes

NIST 800-171 R3 FPD includes significant changes for documentation requirements, as compared to what was expected in NIST 800-171 R2. At face value, there are significant changes just by the number of requirements:

• 13% reduction in CUI controls (110 to 96)
• 100% reduction in NFO controls (61 to 0)
• 49% increase in Assessment Objectives (AOs) (320 to 478)

However, what these numbers to not reflect is the level of effort these changes incur. In many cases, NFO controls and some CUI controls were simply incorporated into remaining NFO controls. In these cases, the CUI controls simply became more complex, due to an increase in scope from the inclusion of other controls.

If you are in the need of professionally-written NIST 800-171 R3 documentation, ComplianceForge has multiple options available. We already have NIST 800-171 R3 FPD controls and NIST 800-171A R3 IPD Assessment Objectives (AOs) mapped into our solutions, so if you want to get ahead of things then we can help give you a boost. You can read more about them here: https://complianceforge.com/nist-800-171-cmmc-2-compliance/