A “robust response” to the upcoming release of the third revision of National Institute of Standards and Technology Special Publication 800-171 must feature three elements, according to Edward Tuorinsky, the founder of and managing principal at cyber, consulting and management services provider DTS.
Organizations must first evaluate the compliance of their security posture with the revised special publication’s new assessment objectives. Revision 2 had a total of 320 assessment objectives while Revision 3 brings that number up to 390, Tuorinsky wrote in a Thursday Federal News Network article.
Organizations must then prepare a plan of action and milestones, or POAM, that would close the gaps identified in the initial evaluation. The POAM would have to outline the tasks that have to be undertaken and propose a schedule for the work.
The third element involves preparing a new system security plan that would provide documentation proving that an organization meets Revision 3’s 390 assessment objectives. These objectives are spread across 95 security controls, down from 110 in Revision 2. In order for an organization to be compliant with a given control, all associated assessment objectives must be met.
Tuorinsky says an organization can reuse elements from a prior system security plan based on Revision 2 and simply edit them to align with the requirements of Revision 3.
NIST 800-171 rev 3 is expected to come out in late April or May.
Edward Tuorinsky will join other cyber experts, government leaders and industry visionaries in speaking about the dynamic and evolving role of cyber in the public sector at the Potomac Officers Club’s 2024 Cyber Summit, which will take place in June. Register now to attend this important event!