At first glance the initial public draft of NIST Special Publication (SP) 800-171 revision 3 is a big change compared to previous versions. Formatting changes, variable parameters, and new requirements have seemingly come out of nowhere. In reality SP 800-171 is a reflection of the much larger SP 800-53. The evolution of SP 800-53 over time has a direct effect on the look and feel of SP 800-171 and the cost, burden, and impact of assessment programs like CMMC. NIST Fellow Dr. Ron Ross joins the show to walk us through where SP 800-53 has been, where it's going, and how a broader understanding helps put SP 800-171 into context for federal contractors. For more information and resources please visit: https://www.summit7.us/resources#resources_nist

Episode Links:

Rainbow Series: https://en.wikipedia.org/wiki/Rainbow_Series

Anderson Report (PDF): https://csrc.nist.rip/publications/history/ande72.pdf

Ware Report: https://en.wikipedia.org/wiki/Ware_report

A Vulnerable System: https://www.amazon.com/Vulnerable-System-Information-Security-Computer-ebook/dp/B08YP9XH84

The Perfect Weapon: https://www.amazon.com/Perfect-Weapon-Sabotage-Fear-Cyber/dp/0451497899

FISMA: https://en.wikipedia.org/wiki/Federal_Information_Security_Management_Act_of_2002

FIPS 200: https://csrc.nist.gov/publications/detail/fips/200/final

FIPS 199: https://csrc.nist.gov/publications/detail/fips/199/final RMF: https://csrc.nist.gov/projects/risk-management/about-rmf

Alan Paller: https://www.sans.org/about/our-founder/

Metrics as surrogates: https://hbr.org/2019/09/dont-let-metrics-undermine-your-business

EO 13556: https://obamawhitehouse.archives.gov/the-press-office/2010/11/04/executive-order-13556-controlled-unclassified-information

CUI Registry: https://www.archives.gov/cui/registry/category-list

SP 800-171 r3 initial draft: https://csrc.nist.gov/publications/detail/sp/800-171/rev-3/draft

SP 800-53 r5: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final