How can increased cybersecurity measures benefit today’s heat treaters and their clients? Find out more with an exploration of the coming changes in CUI and the way these changes could affect heat treating companies.
Today’s read is a feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column was first released in Heat Treat Today’s September 2023 People of Heat Treat print edition.
Introduction
This 10th article in the series from Heat Treat Today’s Cybersecurity Desk will explain some of the changes that are being proposed in the IPD (Initial Public Draft) of NIST SP 800-171 Revision 3. On May 10, 2023, the National Institute of Standards and Technology (NIST) released a draft version of Rev. 3 for Special Publication (SP) 800-171, the foundational framework of requirements for protecting controlled unclassified information (CUI). The final version of NIST SP 800-171 Rev. 3 is expected to be released in early 2024.
Don’t panic about these proposed changes in Rev. 3. If you handle CUI and you are working towards your compliance, continue to implement Rev. 2. Don’t wait until Rev. 3 is fully released to start. Remember, DFARS mandates that if you are a DoD prime contractor or subcontractor with CUI, you need to be compliant with NIST 800-171 Rev. 2 as well as CMMC Level 2 or 3 certified. CMMC certification deadline is in 2025 and it’s fast approaching.
Modifications & Additions to Rev. 3
The changes in Rev. 3 should have a positive impact on your ongoing compliance management program. They simultaneously made the requirements easier to understand and implement while also preserving and even adding flexibility that allows companies to make risk-based decisions about their environments and the data managed in those environments. These include the merging, addition, removal,
and clarification of several different requirements. The most obvious difference is that the requirements went from 110 controls down to 109. This was because they had withdrawn 27 of the original controls (most are migrated into another existing control) and added 26 new requirements.
Categories of Changes
• 18 Controls with “No Significant Change”: Editorial changes to requirement; no change in outcome.
• 49 Controls with “Significant Change”: Additional detail in the requirement, including more comprehensive detail on foundational tasks for archiving the outcome of the requirement.
• 18 Controls with “Minor Changes”: Editorial changes. Limited changes in the level of detail and outcome of requirements.
• 26 Controls with “New Requirements”: Newly added requirement in IPD SP 800-171 Rev. 3.
• 27 Controls with “Withdrawn Requirements”: Requirement withdrawn.
• 53 Controls with “New Organization-Defined Parameter (ODP)”: New ODPs can apply to all change types with the exception of withdrawn requirements. Each requirement includes one or more new ODPs.
Implications for Heat Treaters
What has not changed is that companies that handle CUI must comply with the NIST 800-171 cybersecurity standards. Failure to comply can result in significant consequences, including loss of contracts and damage to the company’s reputation. With the release of Rev. 3, heat treaters must ensure they are up to date with the latest security requirements. One of the most significant changes in Rev. 3 is the addition of new security requirements. Heat treating companies must review these new requirements and ensure they have implemented the necessary controls to meet them. Also, organizations must review the updated requirements to ensure they meet the latest best practices. The reorganization of the security requirements may also impact heat treaters. The alignment with the NIST Cybersecurity Framework provides a more comprehensive approach to security. However, some companies may need to adjust their current security programs to align with the new structure. By staying informed and implementing the necessary controls, heat treat organizations can ensure they are adequately protecting CUI and meeting their compliance obligations to their clients.
About the Author:
Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe at joe.coleman@go-throughput.com.