NIST updates to help defend sensitive information from cyberattack

NIST notes that tThe original version of SP 800-171 appeared in 2015 and provided 110 recommended requirements to ensure the confidentiality of CUIresiding on the computers of contractors and other organizations that interact with the government. The guidance in SP 800-171 supports more consistent and robust security implementations across the federal government’s supply chain. Over 60,000 unique business entities that serve as defense contractors are required to implementNIST SP 800-171to protect CUI in their systems and networks. (NIST hosted a daylong webinar on CUI in October 2018, offering background on the original NIST SP 800-171 requirements.) 

To address CUI in nonfederal systems and organizations that support critical programs or that form part of a high value asset, NIST has created SP 800-171B, which offers 32 recommended enhanced security requirements. This new companion publication does not alter the original guidance in the 2015 version, but simply provide additional tools to help deal with what are considered “advanced persistent threats” — those adversaries who possess the expertise and resources to play the long game of cyber warfare. They often attempt to establish long-term footholds within a target’s infrastructure to steal information or undermine critical aspects of its mission, sometimes years after the initial breach. 

“When this happens, you need additional safeguards and countermeasures to confuse, deceive, mislead and impede the adversary,” Ross said. “The strategies in SP 800-171B can help you take away the adversary’s tactical advantage and protect and preserve your organization’s high value assets and critical programs, even after the adversary has penetrated your system.” 

“The game is not lost after that initial penetration or breach,” he said. “It’s just beginning.” 

The requirements in SP 800-171B are largely drawn from two other draft publications, NIST SP 800-160 Vol. 2 and NIST SP 800-53 Rev. 5, both of which NIST is developing to help engineer security into information systems. 

Ross cautioned that only a small fraction of organizations would need to employ the new requirements. 

“It’s important to recognize that these requirements will only be levied upon a small percentage of programs and assets,” he said. “Determining what those are is up to individual federal departments and agencies.” 

Recognizing that many contractors do not have the in-house resources to implement the requirements fully, the revised draft indicates how an organization might use appropriate third-party contractors to perform specific tasks such as evaluating an organization’s resiliency to cyberattack or providing a Security Operations Center capability.  

Ross also said that the requirements could be applied on a voluntary basis far beyond the world of government contracting, including in critical infrastructure systems.  

“Everyone has high value assets, from small businesses to Fortune 500 companies,” he said. “These enhanced defenses are great tools for anyone to use. We do our jobs primarily for the federal government, but everyone gets to take advantage of NIST’s cybersecurity guidance.”