Send us a text

🚨 Working with the Department of Defense or handling Controlled Unclassified Information (CUI)? Here’s what you need to know about the DOD’s new approach to NIST SP 800-171 Revision 3 ODP values.

Just listened to the latest episode of CMMC News, where the hosts did a deep dive into the recent DOD memo standardizing “Organization Defined Parameters” (ODPs) for protecting CUI. If you’re a defense contractor—or work in the DIB—these aren’t just guidelines, they are your new minimums.

🔑 3 Key Takeaways:

• No More Guesswork: The DOD has filled in the “blanks” of NIST 800-171 R3 by setting specific ODP values. These are now the baseline for all contractors—think max inactivity timeouts, access control reviews, and patching deadlines.
• Timelines Are Tight: Some key numbers to know:
  • Account inactivity? Disable within 90 days.
  • Privileged session logoff? Required at end of work period.
  • High-risk vulnerability patching? 30 days max.
  • Quarterly updates for password “bad lists” and system inventories.
• Documentation & Continuous Vigilance: Annual (or more frequent) reviews for policies, logs, training, and agreements are now required. Plus, always justify and document any deviations or risk-based modifications—the DOD wants your decisions traceable.

The big picture: The DOD is taking out ambiguity. If you handle CUI, you must implement these specific controls—or document strong justification for any flexibility allowed. And these requirements will change as threats evolve, so keep your risk assessments and compliance efforts agile.

Want the full detail? Highly recommend listening to the episode and reviewing both the NIST SP 800-171 R3 standard and the new DOD ODP memo. Stay compliant, stay secure! 💪

See the original PDF here: https://drive.google.com/file/d/1rtgUmlaCiUKst-mHR7Fsz5O95g46hCra/view

#cybersecurity #DoD #NIST #CUI #compliance #riskmanagement #defenseindustry

Support the show