NIST 800-172 to Strengthen CUI Protection Controls | Apptega

Understanding if SP 800-172 Applies to Your Organization and What It May Mean

As the threat landscape continues to evolve and attackers expose millions upon millions of records through successful breaches, many compliance and regulatory organizations are considering changes to some of their existing frameworks, requirements, and recommendations to help close known and anticipated security gaps.

In early 2021, for example, the National Institute of Standards and Technology announced some enhancements to SP 800-171 Rev. 2, as well as the publication of NIST SP 800-172, “Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171.”

These enhancements are reflective of a changing threat landscape and the push from the U.S. Department of Defense to ensure that its agencies, contractors, and subcontractors stay well-prepared on the frontlines of protecting controlled unclassified information (CUI). That drove the creation of CUI security standards with NIST SP 800-171, “Protecting Controlled Unclassified Information in Non-Federal Systems,” which was first published back in 2015. NIST SP 800-171 Rev. 1 followed in 2018, with Rev. 2 coming two years later, and then another update in January 2021.

 

The purpose of the most recent NIST 800-171 update is to help further strengthen standards to protect the confidentiality of CUI.

At the time of the latest update’s release, NIST indicated the changes were simply errata and did not alter any of its existing technical information or requirements, nor did it introduce any new ones. Instead, it reflects changes intended to remove ambiguity in previous versions and help provide a better foundation for interpreting the content.

At the same time, however, DoD has been working through changes to its proposed Cybersecurity Maturity Model Certification program, which will require all DoD contractors and subcontractors in the Defense Industrial Base (DIB) to be certified at a certain level to bid on or renew future DoD contracts. You can read more about changes to the CMMC program and its potential impact on contractors here [MOU1].

However, the release of NIST 800-172 does bring some additional clarity to what organizations can do to even further enhance their security practices for CUI.

Before we get into the details of 800-172, let’s do a quick recap of NIST, the 800-171 standards, and some of the key terminology used throughout this blog post.

First, what is CUI in non-federal systems and why does it need protection?

CUI is sensitive, but unregulated information from the government. This is generally sensitive but unprotected and non-regulated information from the U.S. federal government creates or controls. All CUI needs protection controls related to various regulations, laws, and government policies.

All non-federal organizations that work with federal agencies and process, store, or transmit CUI must comply with guidelines established by the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS). It’s relevant to all non-federal organizations working with agencies such as DoD, the General Services Administration (GSA), National Aeronautics and Space Administration (NASA), federal agency services providers, vendors, and suppliers for federal agencies, and higher education institutions that get federal grants.

When it comes to protection, CUI is similar to other protected and sensitive information in that if it’s stolen, damaged, or deleted it may have a negative impact on operations and data integrity, for example, a government agency’s ability to operate or deliver services.

Who is NIST and why is it involved with CUI standards?

NIST is the National Institute of Standards and Technology. Established in 1901, it’s part of the U.S. Department of Commerce and is responsible for establishing security standards for everything from atomic clocks to emerging technologies.

In June 2015, NIST first published SP 800-171 in response to a 2010 presidential executive order about CUI. That order set the stage for the U.S. government to initiate steps to standardize how agencies handle and protect CUI.

As a result, NIST took on the task of developing CUI-related security standards and released SP 800-171, which became a requirement for all non-federal organizations that process, store or transmit CUI. Similarly, federal agencies rely on NIST 800-53 as guidance on how they should protect and secure CUI.

While non-federal organizations have long been required to adhere to NIST, there has been some ambiguity in self-attestation processes, which is why, in great part, DoD began the push the new CMMC program into development.

What is NIST 800-171?

NIST 800-171 consists of 14 control families, with 110 security controls that draw on best practices from FIPS 200 and NIST SP 800-53. NIST 800-171 helps organizations with critical CUI security functions such as controls and processes, monitoring and management, practices and procedures, and implementation.

Here’s a quick look at those 14 controls:

• 1. Access Control
• 2. Awareness and Training
• 3. Audit and Accountability
• 4. Configuration Management
• 5. Identification and Authentication
• 6. Incident Response
• 7. Maintenance
• 8. Media Protection
• 9. Personnel Security
• 10. Physical Protection
• 11. Risk Assessment
• 12. Security Assessment
• 13. System and Communications
• 14. System and Information Integrity

By implementing NIST 800-171, your organization can help ensure you’re doing what’s required to keep CUI and other sensitive data safe, can better identify where you have gaps and security weaknesses, and develop plans to mature your organization’s risk analysis and risk management processes.

Unlike CMMC which will require some form of certification, there is no formal certification process for NIST 800-171 compliance. Instead, organizations must demonstrate and document compliance for these standards, for example with a System Security Plan and Plan of Action & Milestones.

The Evolution to NIST 800-172

While NIST 800-171 Rev. 2 didn’t bring forth a lot of new information regarding CUI protections, the publication of NIST 800-172 outlines 35 enhanced security requirements for protecting the confidentiality, integrity, and availability of CUI in non-federal systems from advance persistent threats (APTs) for CUI associated with critical programs and high-value assets.

According to NIST’s Computer Security Resource Center (CSRC), these enhanced requirements will help guide defense strategy through:

• Penetration-resistant architecture
• Damage-limiting operations
• Designing for cyber resiliency and survivability that support and reinforce one another

The concept behind their development recognizes that even with mature security measures, an APT may find a way to breach defenses. These enhancements can help organizations by developing additional safeguards and countermeasures against attackers.

A look at NIST 800-172

Like NIST 800-171, there are 14 families within 800-172. Nestled within each control family, are the recommended 35 enhanced security measures, as well as a discussion about each requirement, a protection strategy, and adversary effects.

Access Control

• Employ dual authorization to execute critical or sensitive system and organizational operations.
• Restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization.
• Employ [Assignment: organization-defined secure information transfer solutions] to control information flows between security domains on connected systems.

Awareness and Training

• Provide awareness training [Assignment: organization-defined frequency] focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training [Assignment: organization-defined frequency] or when there are significant changes to the threat.
• Include practical exercises in awareness training for [Assignment: organization-defined roles] that are aligned with current threat scenarios and provide feedback to individuals involved in the training and their supervisors.

Audit and Accountability

There are no enhanced security requirements for audit and accountability.

Configuration Management

• Establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components.
• Establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components.
• Employ automated discovery and management tools to maintain an up-to-date, complete, accurate, and readily available inventory of system components.

Identification and Authentication

• Identify and authenticate [Assignment: organization-defined systems and system components] before establishing a network connection using bidirectional authentication that is cryptographically based and replay resistant.
• Employ automated mechanisms for the generation, protection, rotation, and management of passwords for systems and system components that do not support multifactor authentication or complex account management.
• Employ automated or manual/procedural mechanisms to prohibit system components from connecting to organizational systems unless the components are known, authenticated, in a properly configured state, or in a trust profile.

Incident Response

• Establish and maintain a security operations center capability that operates [Assignment: organization-defined time period].
• Establish and maintain a cyber incident response team that can be deployed by the organization within [Assignment: organization-defined time period].

Maintenance

There are no enhanced security requirements for maintenance.

Media Protection

There are no enhanced security requirements for media protection.

Personnel Security

• Conduct [Assignment: organization-defined enhanced personnel screening] for individuals and reassess individual positions and access to CUI [Assignment: organization-defined frequency].
• Ensure that organizational systems are protected if adverse information develops or is obtained about individuals with access to CUI.

Physical Protection

There are no enhanced security requirements for physical protection.

Risk Assessment

• Employ [Assignment: organization-defined sources of threat intelligence] as part of a risk assessment to guide and inform the development of organizational systems, security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.
• Conduct cyber threat hunting activities [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined event]] to search for indicators of compromise in [Assignment: organization-defined systems] and detect, track, and disrupt threats that evade existing controls.
• Employ advanced automation and analytics capabilities in support of analysts to predict and identify risks to organizations, systems, and system components.
• Document or reference in the system security plan the security solution selected, the rationale for the security solution, and the risk determination
• Assess the effectiveness of security solutions [Assignment: organization-defined frequency] to address anticipated risk to organizational systems and the organization based on current and accumulated threat intelligence.
• Assess, respond to, and monitor supply chain risks associated with organizational systems and system components.
• Develop a plan for managing supply chain risks associated with organizational systems and system components; update the plan [Assignment: organization-defined frequency].

Security Assessment

• Conduct penetration testing [Assignment: organization-defined frequency], leveraging automated scanning tools and ad hoc tests using subject matter experts.

System and Communications Protection

• Create diversity in [Assignment: organization-defined system components] to reduce the extent of malicious code propagation.
• Implement the following changes to organizational systems and system components to introduce a degree of unpredictability into operations: [Assignment: organization-defined changes and frequency of changes by system and system component].
• Employ [Assignment: organization-defined technical and procedural means] to confuse and mislead adversaries.
• Employ [Selection: (one or more): [Assignment: organization-defined physical isolation techniques]; [Assignment: organization-defined logical isolation techniques]] in organizational systems and system components.
• Distribute and relocate the following system functions or resources [Assignment: organization-defined frequency]: [Assignment: organization-defined system functions or resources].

System and Information Integrity

• Verify the integrity of [Assignment: organization-defined security critical or essential software] using root-of-trust mechanisms or cryptographic signatures.
• Monitor organizational systems and system components on an ongoing basis for anomalous or suspicious behavior.
• Ensure that [Assignment: organization-defined systems and system components] are included in the scope of the specified enhanced security requirements or are segregated in purpose-specific networks.
• Refresh [Assignment: organization-defined systems and system components] from a known, trusted state [Assignment: organization-defined frequency].
• Conduct reviews of persistent organizational storage locations [Assignment: organization-defined frequency] and remove CUI that is no longer needed.
• Use threat indicator information and effective mitigations obtained from [Assignment: organization-defined external organizations] to guide and inform intrusion detection and threat hunting.
• Verify the correctness of [Assignment: organization-defined security critical or essential software, firmware, and hardware components] using [Assignment: organization-defined verification methods or techniques].

The 35 security requirements in NIST 800-172 also align with SP 800-53 controls and can be used as an additional layer of security on top of the standards and controls outlined in NIST 800-171.

Here is an example of NIST 800-53 alignment:

Family	Access Control
Security Requirement	Employ dual authorization to execute critical or sensitive system and organizational operations.
Relevant NIST 800-53 controls	Access Enforcement, Dual Authorization Protection of Audit Information, Dual Authorization Access Restrictions for Change, Dual Authorization System Backup, Dual Authorization for Deletion or Destruction Media Sanitization, Dual Authorization

Depending on the nature of the critical program or high-value asset pertaining to the CUI, an organization may choose to implement all 35 security requirements comprehensively or can choose to implement a subset of those requirements. SP 800-172 specifies that in some instances, there are dependencies with some requirements and that could affect which requirements are selected and implemented.

The special publication specifies that there is no expectation that all organizations will apply all of the enhanced security requirements. Instead, each organization should take into consideration mission and business protection needs and should be guided through the process by ongoing risk assessments.

The selection of enhanced security requirements for non-federal organizations (with critical or high-value assets) will be communicated to that organization by the federal agency it’s working with. Likewise, since CUI protection standards also apply to subcontractors, the federal agency is expected to consult with the non-federal organization and then address which enhanced security requirements are needed with those subcontractors.

In some cases, if an organization cannot meet these enhanced requirements with their existing internal resources, they will have the option of working with external service providers for tasks such as threat intelligence; threat and adversary hunting; system monitoring and management; IT infrastructure, platform, and software services; threat, vulnerability and risk assessments; response and recovery; and cyber resiliency.

---

 

If you’re just starting on your NIST 800-171 compliance journey or you’re ready to start adding some of the enhancements outlined in 800-172, Apptega can help you get instant insight into where you are, where you have gaps, and recommendations on what you should do to get you where you want to be. You can even crosswalk the frameworks against other frameworks and controls your organization is already using.

Have questions or need help? Contact an Apptega advisor today to learn more.