Skip to main content
All CollectionsFrameworksNIST SP 800-171 Rev. 2
NIST SP 800-171 Rev. 2 Framework Updates
NIST SP 800-171 Rev. 2 Framework Updates
Updated over 3 months ago

What you need to know about the NIST SP 800-171r2 framework updates released on 9/5/2024.

Overview

Prior to 9/5, NIST SP 800-171r2 was a requirements-only framework in Drata, where you managed your own controls, policies, and risks. However, with this release, we have released full framework support so that the NIST SP 800-171r2 product has all the automation and enablement resources that Drata offers.

If you already had NIST SP 800-171r2 at the time of this update, you may have experienced a change in your framework readiness when the updates were released.

Read on to learn about the updates and your action items.

Updates to this framework in Drata

Here is an overview of the resources that now come with the NIST 800-171 framework:

Resource

Details

Requirements

110

Mapped DCF Controls (Total)

195

Newly-developed DCF controls

26

DCF Control Updates

16 Name Updates

63 Description Updates

18 Control to Policy Mapping Updates

Policies

22 policy templates are associated with this framework:

  • Acceptable Use Policy

  • Asset Management Policy

  • Change Management Policy

  • Data Classification Policy

  • Data Protection Policy

  • Data Retention Policy

  • Encryption Policy

  • Network Security Policy

  • Incident Response Plan

  • Information Security Policy

  • Maintenance Management Policy

  • Password Policy

  • Physical Security Policy

  • Risk Assessment Policy

  • Software Development Life Cycle Policy

  • System Access Control Policy

  • System and Information Integrity Policy

  • System and Services Acquisition Policy

  • System Security Planning Policy

  • Vendor Management Policy

  • Vulnerability Management Policy

  • Logging and Monitoring Policy

Other Additions

“Assessment Objectives” column added to the requirements, based on NIST 800-171A guidelines.

Next steps

If you are a customer who has had NIST SP 800-171r2 prior to the release of the full framework support, you may have experienced a change in your readiness score because of our newly-added controls. You can mark the new controls we added to your account out of scope if you don’t want to use them, but we recommend reviewing these new controls and associated mappings first, which were created by Drata’s GRC experts to help you in implementing this framework.

Your readiness score may have also changed because of policy templates that we have added to your account for this framework, which you may not have had before. We recommend reviewing these policy templates and incorporating them into your compliance program, but you can also choose to archive them if you want to use your own policies.

Here’s an overview of action items to take:

  1. Assess all additional DCF controls to determine if they are applicable or relevant to your organization. If they are not or if you want to continue managing your own control set as-is, you can mark them out of scope.

  2. Additionally, some controls have received updated templates. Revert to the latest template for the most accurate information and guidance.

  3. Review any additional policy template, edit as appropriate, and approve them. Once approved, send them to your personnel for acknowledgement, if applicable. Otherwise, archive them.

Did this answer your question?