In early July, NIST released draft versions of two new publications:

NIST SP 800-171 Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

NIST SP 800-171B: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets

NIST explains that its “SP 800-171 Revision 2 provides minor editorial changes… There are no changes to the basic and derived security requirements.”

On the other hand, NIST SP 800-171B is an entirely new publication that introduces 33 enhanced security requirements designed to help protect DoD contractors (specifically, their high-value-assets and critical programs including CUI) from modern attack tactics and techniques related to Advanced Persistent Threats (APTs). These sophisticated attacks are most often executed by nation-state-backed cyber-criminals whose goal is to steal data relevant to national security.

DoD contractors that are considering implementing enhanced controls should note that “the enhanced security requirements are only applicable for a nonfederal system or organization when mandated by a federal agency in a contract, grant, or other agreement.” For those contractors that have received such a mandate, the control requirements have become significantly more robust, with a focus on the following three objectives:

  1. Designing and implementing a penetration-resistant architecture
  2. Implementation of damage limiting operations
  3. Overall cyber-resiliency and survivability

These enhanced security requirements included within NIST 800-171B are generally more prescriptive than the controls found in NIST 800-171, and they call out individual steps that should be implemented to protect against the Advanced Persistent Threat. The enhanced security controls exist for 10 of the 14 control families in NIST 800-171R2. The majority can be broadly categorized into the following areas:

  • Additional requirements for secure and resilient system and network architectures.
  • Requirements for secure baseline configurations for systems, explicitly including IoT devices.
  • Requirements for formal (Read more...)