Additional strategies ended up added to an update of one of the National Institute of Standards and Technology’s (NIST) information security documents that helps protect sensitive information stored in computers supporting critical government programs and high value assets.
The document, entitled “Draft NIST Special Publication (SP) 800-171 Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” now has a draft companion publication, NIST SP 800-171B, that offers additional recommendations for handling Controlled Unclassified Information (CUI) in situations where that information runs a higher than usual risk of exposure. CUI includes a variety of information types, from individuals’ names or Social Security numbers to critical defense information.
When CUI is part of a critical program or a high value asset — such as a weapons system — it can become a significant target for high-end, sophisticated adversaries. In recent years, these programs and assets have been subjected to an ongoing barrage of serious cyberattacks, prompting the Department of Defense to request additional guidance from NIST.
“We need to provide safeguards and countermeasures that can stand up to these attacks,” said NIST’s Ron Ross, one of the publication’s authors. “We are requesting comments on this initial public draft, which we hope will help organizations protect CUI against our most advanced and persistent adversaries.”
In the future, NIST plans to issue final versions of both publications. In addition, a previously available companion document, NIST SP 800-171A, will be updated with new assessment procedures for the enhanced security requirements.
The original version of SP 800-171 appeared in 2015 and provided 110 recommended requirements to ensure the confidentiality of CUI residing on the computers of contractors and other organizations that interact with the government. The guidance in SP 800-171 supports more consistent and robust security implementations across the federal government’s supply chain. Over 60,000 unique business entities that serve as defense contractors are required to implement NIST SP 800-171 to protect CUI in their systems and networks.
This new companion publication does not alter the original guidance in the 2015 version, but simply provide additional tools to help deal with what are considered advanced persistent threats. They often attempt to establish long-term footholds within a target’s infrastructure to steal information or undermine critical aspects of its mission, sometimes years after the initial breach.
“When this happens, you need additional safeguards and countermeasures to confuse, deceive, mislead and impede the adversary,” Ross said. “The strategies in SP 800-171B can help you take away the adversary’s tactical advantage and protect and preserve your organization’s high value assets and critical programs, even after the adversary has penetrated your system.”
“The game is not lost after that initial penetration or breach,” he said. “It’s just beginning.”