Insights from Bob Metzger: NIST 800-171 Revision 3
In this short video, Bob Metzger, a well-respected authority on government security laws and regulations related to the Defense Industrial Base and CMMC, speaks with Bill Wootton, chief revenue officer at C3 Integrated Solutions, about what's in NIST 800-171 Revision 3, and how it affects defense contractors.
The information provided in this video does not, and is not intended to, constitute legal advice; instead, all information, content, and opinions expressed in this video should be considered discussion for the purposes of public interest only.
Bill Wootton: Hi, I’m Bill Wootton, Chief Revenue Officer of C3 Integrated Solutions. And recently, I had the pleasure of sitting down with the legendary Bob Metzger, a well respected authority on government security laws and regulations related to the Defense Industrial Base, as well as CMMC. Now, as a member of C3’s Board of Directors, Bob’s already provided us a tremendous amount of value towards our strategy and direction, and we thought it would be great to give him the opportunity to do the same for you. Let’s listen in on what Bob had to say about the recent draft release of NIST 800 171, rev three.
So, Bob, the draft for NIST 800 171 REV3 came out recently. We’ve gone through the period of public comments, and now they’re adjudicating it. Can you talk a little bit about where we are in that process and what we expect next?
Bob Metzger: Well, it was a fascinating document.
Like many, when I read it, I became interested, concerned, and then worried, about the number of organizationally defined parameters. NIST, in many respects, was sensible and thoughtful in preparing the rule from the viewpoint of NIST, which is not responsible for the actual implementation or workability of these rules.
NIST said, well, gee, we, NIST, shouldn’t be setting the values for what individual federal agencies will want their contractors or suppliers to meet. So in instances where there’s choices between a little, a fair amount, and a lot, we’re just going to make that an organizationally defined parameter. and leave it up to the agencies eventually to decide.
I think there were 109 OD…ODPs in Rev 3. Well, the problem is that contractors who actually must implement 171 inevitably are going to wonder what the values are. And there’s no assurance that any contractor will find that the values are the same from DoD as opposed to DHS, or DHS as opposed to CISA, or even within DoD for particular customers or elements.
And so what this means is that a sensible idea in the real world would wreak havoc. I helped a leading trade association, the Coalition for Government Procurement, write comments to the initial public draft of REV3. And I was highly skeptical of the approach towards organizationally defined values. So were many others.
In fact, remarkably, the Department of Defense itself filed a comment which said, “We don’t think this works.”
Bill Wootton: Can you tell us where else Rev 3 may cause some concerns.
Bob Metzger: You know, as you know, it seemed to require that there be independent assessments, essentially by anyone subject to REV 3. Well, I may love the concept, but again, just where are these assessors?
Who are they? How are they accredited? Who can afford them? And can you do it yourself or must you use a third party? So it’s another great idea with practical concerns. We also were including supply chain risk management, which I think is extremely important. But there’s a whole body of expertise in itself about what SCRM means and how to do it.
And so, in truth, even though it was a very informative document and reflected a huge amount of thoughtful work, it caused me to think that it would be much more burdensome to most, if not every contractor, and potentially a lot more expensive. And so my reaction overall was to doubt that the final Revision 3 would look very much like the first IPD that was proposed. And in fact, NIST has already said publicly that it will be making significant revisions to the draft, and then it will be reducing substantially the number of organizationally defined parameters.
Bill Wootton: It’s always interesting in in this pursuit of trying to build flexibility into their standards, they actually introduce complexity and more challenges when they when they kind of take these steps with things.
Do we think that Rev 3 is going to be part of the early days of CMMC? Or do you think that will be more of a delayed rollout?
Bob Metzger: I think it has to be a delayed rollout. First, we don’t know what will be in the final version of REV 3. Second, REV 3 is useful for CMMC only when it is accompanied by the companion 171A Assessment Guide, REV 1 [corrected]. NIST has said that when it produces the next draft of 171, it will also publish the first draft of the first revision to 171A.
Well, it’s the combination of the two that will be operative when they are finished. But even then, we have to appreciate just how much of the CMMC ecosystem is built upon Rev 2 and the complexity or details of that ecosystem. If we think about the assessment process, the training and accreditation of assessors, and what assessors are supposed to do when they get to, you know, your plant or your facility for assessment, all of this is wrapped around Rev 2, and we can’t even start preparing the successor versions for REV3 until after those are finalized. I’m well aware, of course, that when you read the DFAR 7012 clause, you see that it says that companies are supposed to apply the version of 171 that is in effect at the time that they take a contract. And there will be companies who get contracts after REV3 is final but before the CMMC ecosystem is adjusted.
I am convinced that DoD is not going to allow that kind of disruption to happen. How can companies satisfy Rev 3 if the means to do so and the assessment methods are barely understood? DoD has the authority to issue certain deviations from regulations. In situations like this in the past, DoD has used its class deviation authority to postpone the effectiveness of a particular part of an existing regulation.
I’m pretty confident that will happen here. I believe the department is well aware of the potential and actual difficulties that many contractors will experience in implementation of the CMMC 2.0 rule. They will not want to add to the confusion, expense, disruption, and dismay by premature imposition of REV3.
And I note that in the FedRAMP area, only in the last month or so, has FedRAMP updated its requirements to reflect the new SP 800-53 REV5. I believe it was about two years between the finalization of REV 5 and the first publication by FedRAMP of its official transition guidance. So that’s something of an instruction.
Bill Wootton: So important to realize that… NIST 171 is the starting point for CMMC and not everything with CMMC and the ripple effects that happen when you make that update. But with that in mind, is there anything the contractors should be doing today with respect to REV 3, anything actionable there?
Bob Metzger: Yes. There’s a lot to learn in REV 3. Many of us who have lived with REV 2 or REV 1 for a long time have found that it’s somewhat opaque, and we’ve been confused by distinction between non federal organizations and other categorizations. I think REV3 does a much better job than its predecessor in explaining what is expected to meet each of the controls.
They are now enumerated better. And so if you don’t really understand what is supposed to be done or why, REV3 will help you understand it. Now, from the standpoint of compliance, or from the viewpoint of an assessor, all those additional details tend to increase the size of the stack of the things that you have to demonstrate to an assessor.
That’s a problem. Also, there are some distinct new features and included new purposes such as supply chain risk management that are signals of where NIST is going, and I think where federal departments and agencies will want their contractors to go. So what I’ve said to a couple of my clients is that we shouldn’t start to change our plans about the initial public draft of Rev 3 — it’s too early, but we should read it. And we should be able to compare what it expects with what we’re doing, and we’re planning. And we may be able to adjust our strategic planning and perhaps accelerate the design or decision cycle on some new features to kind of get ahead of what Rev3 eventually will require.
Finally, Bill, as you’ve suggested earlier, 171 Rev2 is just a baseline. It is very important for companies who can to do better because doing better means, for example, that you’ll be more robust and have less vulnerability, I think, to a ransomware attack, that you may have better resilience, that you may have improved awareness of events and ability to respond.
Well, of course, compliance is important. We have to do it. There is still a distinction between compliance and security. And the latter may call upon the earlier adoption of some rev 3 propositions than compliance itself would at this point in time.
Bill Wootton: Do you have any, any thoughts or any words for our friends over at NIST relative to Rev 3 and where they should go with the next draft of this?
Bob Metzger: Well, that’s a great question.
I’ve known Ron Ross for at least eight years, I guess. And I admire so much what he and Vicki Pilateri and others have done at NIST. It’s so hard and their work is so valuable in so many areas.
But sometimes they are a bit detached from the reality on the ground. And I think that the weight of the comments I’ve seen, including some from DOD and other federal agencies, suggests that maybe NIST is looking a little bit towards idealized standards and practices without enough appreciation for how agencies can or should implement them. So I hope that NIST will be careful to appreciate not just the the change intellectually, but the consequence of the change practically. In the comments that I helped prepare for the Coalition for Government Procurement, I urged an effort to be coordinated among agencies involving OMB and the Office of the National Cyber Director so that there could be an interagency and coordinated approach to the implementation of REV3.
If our real problem… Looking at the draft is we just don’t know how it will work or how it can be run consistently. Well, that’s not a problem NIST can solve, nor it is a problem that DOD itself can solve. Since NIST documents can be used by any federal agency and relied upon by commercial organizations as well, I think it’s important to have some executive branch leadership on how 171 Rev 3 will be applied, should be implemented, will be managed.
Bill Wootton: I think that’s a great point. We are starting to see 171 in state and local documents. We’re starting to see it in Fortune 500 documents as either a requirement or a measuring standard for security. So the, the reach of this and this change is, is well beyond kind of, you know, sometimes what we get focused on with CMMC, it is such a bigger, bigger impact when they make that update.