Many of us in the DoD contracting world have been working over the past year from the DRAFT versions of the NIST 800-171 A, Assessing Security Requirements for Controlled Unclassified Information. Now that the FINAL version has been released, we’ve noticed some changes in the Assessment Objectives—additions, deletions, different wording—but a revision history wasn’t released that details those exact changes. Thus, it can be a tedious cross-walk to compare the DRAFT to FINAL version to locate the differences, but many of us who use automated tools or spreadsheets to manage assessments will need to do this to stay up-to-date.
To aid you in updating your tools, we’ve created the table to summarize the major changes. We define a major change as an addition, deletion, or significant change in wording to the Objective; minor changes such as typo fixes or slight change in wording of the Objective are not noted in this table. The table lists either added, deleted, or changed Assessment Objectives by Objective ID, and also has some notes.
Best of luck with your assessments; let us know at [email protected] if you have any comments or questions.
–Adam Austin
Cybersecurity Lead