NIST’s timely new release of Special Publication (SP) 800-172 (formerly referred to in draft form as 800-171B) provides exactly what its title says, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST SP 800-171. Yet it goes a step further to protect controlled unclassified information (CUI) specifically from APTs.

According to Scott Goodwin, IT audit and security supervisor with OCD Tech and Tripwire guest blog contributor, the latest NIST guidance “…introduces 33 enhanced security requirements designed to help protect DoD contractors (specifically, their high-value-assets and critical programs including CUI) from modern attack tactics and techniques related to Advanced Persistent Threats (APTs). These sophisticated attacks are most often executed by nation-state-backed cyber-criminals whose goal is to steal data relevant to national security.” 

As witnessed in the SolarWinds Orion attack and recent others, threats that go undetected can be the most damaging to both private and public sector environments. As an entity supported by thousands of non-federal service providers, the government has to make certain that CUI stored by commercial partners is protected.

This was the government’s intent for NIST’s original SP 800-171. It was that nonfederal entities supporting government business would not only have guidance for securing CUI but would also have a solid framework for complying with requirements such as the DoD’s DFARS clause 252.204-7012. If companies want to continue doing business with the government, SP 800-171 and now SP 800-172 need to be top priority for program managers, CIOs, system auditors, etc.

“We developed SP 800-171 in response to major cyberattacks on U.S. critical infrastructure, and its companion document SP 800-172 is designed to mitigate attacks from advanced cyber threats such as the APT,” Ross said. “Implementing the cyber safeguards in SP 800-172 will help system owners protect what state-level hackers (Read more...)