An update to one of the National Institute of Standards and Technology’s (NIST) information security documents offers strategies to help protect sensitive information that is stored in computers supporting critical government programs and high value assets.
The document, entitled Draft NIST Special Publication (SP) 800-171 Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, now has a new draft companion publication, NIST SP 800-171B, that offers additional recommendations for handling Controlled Unclassified Information (CUI) in situations where that information runs a higher than usual risk of exposure. CUI includes a wide variety of information types, from individuals’ names or Social Security numbers to critical defense information.
When CUI is part of a critical program or a high value asset — such as a weapons system — it can become a significant target for high-end, sophisticated adversaries. In recent years, these programs and assets have been subjected to an ongoing barrage of serious cyberattacks, prompting the Department of Defense to request additional guidance from NIST.
“We need to provide safeguards and countermeasures that can stand up to these attacks,” said NIST’s Ron Ross, one of the publication’s authors. “We are requesting comments on this initial public draft, which we hope will help organizations protect CUI against our most advanced and persistent adversaries.”
NIST is accepting comments on both SP 800-171 Rev. 2, which received minor editorial updates, and SP 800-171B until August 2, 2019. In the future, NIST plans to issue final versions of both publications. In addition, a previously available companion document, NIST SP 800-171A, will be updated with new assessment procedures for the enhanced security requirements.
The original version of SP 800-171 appeared in 2015 and provided 110 recommended requirements to ensure the confidentiality of CUI residing on the computers of contractors and other organizations that interact with the government. The guidance in SP 800-171 supports more consistent and robust security implementations across the federal government’s supply chain. Over 60,000 unique business entities that serve as defense contractors are required to implement NIST SP 800-171 to protect CUI in their systems and networks. (NIST hosted a daylong webinar on CUI in October 2018, offering background on the original NIST SP 800-171 requirements.)
To address CUI in nonfederal systems and organizations that support critical programs or that form part of a high value asset, NIST has created SP 800-171B, which offers 32 recommended enhanced security requirements. This new companion publication does not alter the original guidance in the 2015 version, but simply provide additional tools to help deal with what are considered “advanced persistent threats” — those adversaries who possess the expertise and resources to play the long game of cyber warfare. They often attempt to establish long-term footholds within a target’s infrastructure to steal information or undermine critical aspects of its mission, sometimes years after the initial breach.
“When this happens, you need additional safeguards and countermeasures to confuse, deceive, mislead and impede the adversary,” Ross said. “The strategies in SP 800-171B can help you take away the adversary’s tactical advantage and protect and preserve your organization’s high value assets and critical programs, even after the adversary has penetrated your system.”
“The game is not lost after that initial penetration or breach,” he said. “It’s just beginning.”
The requirements in SP 800-171B are largely drawn from two other draft publications, NIST SP 800-160 Vol. 2 and NIST SP 800-53 Rev. 5, both of which NIST is developing to help engineer security into information systems.
Ross cautioned that only a small fraction of organizations would need to employ the new requirements.
“It’s important to recognize that these requirements will only be levied upon a small percentage of programs and assets,” he said. “Determining what those are is up to individual federal departments and agencies.”
Recognizing that many contractors do not have the in-house resources to implement the requirements fully, the revised draft indicates how an organization might use appropriate third-party contractors to perform specific tasks such as evaluating an organization’s resiliency to cyberattack or providing a Security Operations Center capability.
Ross also said that the requirements could be applied on a voluntary basis far beyond the world of government contracting, including in critical infrastructure systems.
“Everyone has high value assets, from small businesses to Fortune 500 companies,” he said. “These enhanced defenses are great tools for anyone to use. We do our jobs primarily for the federal government, but everyone gets to take advantage of NIST’s cybersecurity guidance.”
EDITOR'S NOTE: This story was updated on July 15 to reflect a new comment due date of August 2. The original due date was July 19.