Department of Defense Organization-Defined Parameters for National Institute of Standards and Technology Special Publication 800-171 Revision 3

Written By Brian Hubbard

The Department of Defense (DoD) memorandum titled “Department of Defense Organization-Defined Parameters for National Institute of Standards and Technology Special Publication 800-171 Revision 3” establishes standardized values for Organization-Defined Parameters (ODPs) within NIST SP 800-171 Revision 3. These ODPs allow organizations to tailor specific security controls based on their unique risk management strategies. The DoD’s defined ODP values are intended to serve as the minimum security requirements for contractors handling Controlled Unclassified Information (CUI).

Key Points:

  • Purpose: To provide standardized ODP values for implementing NIST SP 800-171 Revision 3 controls across DoD contractors.

  • Development Process: The ODP values were derived from existing federal frameworks and refined through collaboration with DoD offices, external government agencies, University-Affiliated Research Centers, Federally Funded Research and Development Centers, and industry stakeholders.

  • Implementation: The defined ODP values are to be used as policy for contractors and will be updated as necessary to reflect evolving security requirements.

The memorandum includes an attachment detailing specific ODP values for various security controls, such as access control, audit and accountability, configuration management, and incident response. These values specify parameters like time frames for disabling inactive accounts, frequency of security training, and requirements for system configurations.

https://dodcio.defense.gov/Portals/0/Documents/CMMC/OrgDefinedParmsNISTSP800-171.pdf

Brian Hubbard
Next

32 CFR Part 170