Nations around the world are adding cyberwarfare to their arsenal, employing highly skilled teams to launch attacks against other countries. These adversaries are also called the “advanced persistent threat,” or APT, because they possess the tools and resources to pursue their objectives repeatedly over an extended period, adapting to defenders’ efforts to resist them.
Vulnerable data includes the sensitive but unclassified information managed by government, industry and academia in support of various federal programs. Now, a finalized publication from the National Institute of Standards and Technology (NIST) provides guidance to protect such “controlled unclassified information” (CUI) from the APT. NIST’s Special Publication (SP) 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST SP 800-171, offers a set of tools designed to counter the efforts of state-sponsored hackers and complements another NIST publication aimed at protecting CUI.
“Cyberattacks are conducted with silent weapons, and in some situations those weapons are undetectable,” said Ron Ross, a computer scientist and a NIST fellow. “Because you may not ‘feel’ the direct effects of the next hack yet, you may think it is coming someday down the road; but in reality, it’s happening right now.”
The federal government relies heavily on nonfederal service providers to help carry out a wide range of missions using information systems — a term that includes computers, but also a range of other specialized technologies such as industrial control systems and the Internet of Things. The protection of sensitive federal information that resides in nonfederal systems — such as those used by state and local governments, colleges and universities, and independent research organizations — is of paramount importance, as it can directly impact the federal government’s ability to carry out its operations. A hack in 2018 that compromised sensitive information directly inspired the NIST team’s work on SP 800-172.
Formerly numbered SP 800-171B during its draft stages, SP 800-172 offers additional recommendations for handling CUI in situations where that information runs a higher than usual risk of exposure. CUI includes a wide variety of information types, from individuals’ names or Social Security numbers to critical defense information.
“We developed SP 800-171 in response to major cyberattacks on U.S. critical infrastructure, and its companion document SP 800-172 is designed to mitigate attacks from advanced cyber threats such as the APT,” Ross said. “Implementing the cyber safeguards in SP 800-172 will help system owners protect what state-level hackers have considered to be particularly high-value targets: sensitive information about people, technologies, innovation and intellectual property, the revelation of which could compromise our economy and national security.”
The enhanced security requirements are to be implemented in addition to those in SP 800-171, since that publication is not designed to address the APT. The requirements in SP 800-172 apply to the components of nonfederal systems that process, store or transmit CUI or that provide protection for such components. To further narrow the scope, the requirements are applied only when the designated CUI is associated with a critical program or high-value asset — the highest priority for protection.
Developed primarily for administrators such as program managers, CIOs and system auditors, the publication addresses the protection of CUI for system components by promoting penetration-resistant architecture, damage-limiting operations, and designs to achieve cyber resiliency and survivability. Its tools, divided into 14 families, are not intended to be implemented en masse, but selected according to the needs of the organization.
“Most likely an organization implementing this guidance will not want to use all of the enhanced security requirements we offer here,” Ross said. “The decision to select a particular set of enhanced security requirements will be based on your mission and business needs — and then guided and informed by ongoing risk assessments.”
In response to feedback received during the public comment period, the final draft includes updated scoping and applicability guidance and a more flexible requirements selection approach to allow organizations to customize their security solutions.
Ross said that the tools in the new publication should offer hope to anyone seeking to defend against hacks, even by as intimidating a threat as the APT.
“The adversaries are bringing their ‘A-game’ in these cyberattacks 24 hours a day, 7 days a week,” he said. “You can start making sure the damage is minimized if you use SP 800-172’s cyber safeguards.”