Overview of NIST 800-171b: 33 Enhanced Security Requirements to Help Protect DoD Contractors
In early July, NIST released draft versions of two new publications:
NIST SP 800-171 Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
NIST SP 800-171B: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets
NIST explains that its “SP 800-171 Revision 2 provides minor editorial changes… There are no changes to the basic and derived security requirements.”
On the other hand, NIST SP 800-171B is an entirely new publication that introduces 33 enhanced security requirements designed to help protect DoD contractors (specifically, their high-value-assets and critical programs including CUI) from modern attack tactics and techniques related to Advanced Persistent Threats (APTs). These sophisticated attacks are most often executed by nation-state-backed cyber-criminals whose goal is to steal data relevant to national security.
DoD contractors that are considering implementing enhanced controls should note that “the enhanced security requirements are only applicable for a nonfederal system or organization when mandated by a federal agency in a contract, grant, or other agreement.” For those contractors that have received such a mandate, the control requirements have become significantly more robust, with a focus on the following three objectives:
- Designing and implementing a penetration-resistant architecture
- Implementation of damage limiting operations
- Overall cyber-resiliency and survivability
These enhanced security requirements included within NIST 800-171B are generally more prescriptive than the controls found in NIST 800-171, and they call out individual steps that should be implemented to protect against the Advanced Persistent Threat. The enhanced security controls exist for 10 of the 14 control families in NIST 800-171R2. The majority can be broadly categorized into the following areas:
- Additional requirements for secure and resilient system and network architectures.
- Requirements for secure baseline configurations for systems, explicitly including IoT devices.
- Requirements for formal (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Tripwire Guest Authors. Read the original post at: https://www.tripwire.com/state-of-security/regulatory-compliance/overview-nist-800-171b/