NIST SP 800-171 R3 - Never Let A Catalyst For Positive Change Go To Waste

This brief article is directed towards CISOs, and aspiring CISOs, whose organizations are impacted by NIST SP 800-171 and Cybersecurity Maturity Model Certification (CMMC).

Not all the changes in NIST SP 800-171 R3 IPD will make it into the final version, but it is highly likely that most of what is in the IPD will make it into the final version. If you haven’t had a chance to read NIST SP 800-171 R3 IPD, it is well worth your time. There is even a summary of changes between R2 and R3 IPD that provides a condensed set of changes to be familiar with.

The final version of NIST SP 800-171 R3 is expected in early 2024, with NIST SP 800-171A R3 followed sometime in 2024 and eventually a “CMMC 3.0” iteration that addresses the new requirements established by NIST.

As a CISO, this should excite you as an external catalyst that can help bring about positive change. However, that change is going to be limited by your ability to craft the appropriate messaging and deliver it to the proper audience.

What does this specifically mean?

1. Create a prioritized, multi-year roadmap to address reasonably-expected changes.
2. Develop a financial resourcing plan to justify budget requests. Be prepared to push back on any underwhelming budgets with realistic compliance implications.
3. Develop a marketing plan to sell your multi-year cybersecurity roadmap to pertinent stakeholders with the intent of creating cheerleaders to support your initiative.

Key Points to Consider

• This is your opportunity to get ahead of things by educating stakeholders to “don’t shoot the messenger!” about foreseeable changes that will impact their business operations.
• This can be an opportunity to make a broader architectural shift that can benefit overall resilience and remote workforce efficiencies.
• Look at the broader picture – NIST SP 800-171 R3 has specific callouts for Cybersecurity Supply Chain Risk Management (C-SCRM) and even new Non-Federal Organization (NFO) controls that require Secure Software Development Practices (SSDP).

Business planning for CISOs can be a bit scary for those without a business background. Thankfully, there are considerable resources available online to conduct this type of business planning. If you get stuck, let me know and I can help provide a few pointers.

?

About The Author

If you have any questions about this, please feel free to reach out. Tom Cornelius is the Senior Partner at?ComplianceForge, an industry leader in cybersecurity and privacy documentation. He is also the founder of the?Secure Controls Framework?(SCF), a not-for-profit initiative to help companies identify and manage their cybersecurity and privacy requirements.