At first glance the initial public draft of NIST Special Publication (SP) 800-171 revision 3 is a big change compared to previous versions. Formatting changes, variable parameters, and new requirements have seemingly come out of nowhere. In reality SP 800-171 is a reflection of the much larger SP 800-53. The evolution of SP 800-53 over time has a direct effect on the look and feel of SP 800-171 and the cost, burden, and impact of assessment programs like CMMC. NIST Fellow Dr. Ron Ross joins the show to walk us through where SP 800-53 has been, where it's going, and how a broader understanding helps put SP 800-171 into context for federal contractors. For more information and resources please visit: https://www.summit7.us/resources#resources_nist
Episode Links:
Rainbow Series: https://en.wikipedia.org/wiki/Rainbow_Series
Anderson Report (PDF): https://csrc.nist.rip/publications/history/ande72.pdf
Ware Report: https://en.wikipedia.org/wiki/Ware_report
A Vulnerable System: https://www.amazon.com/Vulnerable-System-Information-Security-Computer-ebook/dp/B08YP9XH84
The Perfect Weapon: https://www.amazon.com/Perfect-Weapon-Sabotage-Fear-Cyber/dp/0451497899
FISMA: https://en.wikipedia.org/wiki/Federal_Information_Security_Management_Act_of_2002
FIPS 200: https://csrc.nist.gov/publications/detail/fips/200/final
FIPS 199: https://csrc.nist.gov/publications/detail/fips/199/final RMF: https://csrc.nist.gov/projects/risk-management/about-rmf
Alan Paller: https://www.sans.org/about/our-founder/
Metrics as surrogates: https://hbr.org/2019/09/dont-let-metrics-undermine-your-business
EO 13556: https://obamawhitehouse.archives.gov/the-press-office/2010/11/04/executive-order-13556-controlled-unclassified-information
CUI Registry: https://www.archives.gov/cui/registry/category-list
SP 800-171 r3 initial draft: https://csrc.nist.gov/publications/detail/sp/800-171/rev-3/draft
SP 800-53 r5: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final