The National Institutes of Science and Technology (NIST) has published a supplement to Special Publication (SP) 800-171 outlining requirements for a non-federal organization to develop a cyber program that is resilient against state-sponsored hackers. NIST SP 800-172, “Enhanced Security Requirements for Protecting Controlled Unclassified Information,” offers additional recommendations for defending controlled unclassified information (CUI) against advanced persistent threats (APT).
To be clear, the enhanced security requirements in 800-172 are only applicable when mandated by a federal agency in a contract, grant, or other agreement. They are intended to supplement the basic and derived requirements in 800-171, which were not designed to address sophisticated APTs. This is not a requirement for every contract that involves handling CUI.
The enhanced security requirements provide the foundation for a multidimensional, defense-in- depth protection strategy that includes three mutually supportive and reinforcing components:
- Penetration-resistant architecture,
- Damage-limiting operations, and
- Designing for cyber resiliency and survivability.
“Implementing the cyber safeguards in SP 800-172 will help system owners protect what state-level hackers have considered to be particularly high-value targets: sensitive information about people, technologies, innovation and intellectual property, the revelation of which could compromise our economy and national security,” said Ron Ross, a computer scientist and a NIST fellow in a press release issued by the organization February 2nd.
Originally developed as 800-171B, these enhanced controls have been used to partially build the requirements for Cybersecurity Maturity Model Certification (CMMC) Levels 4 and 5, which are designed to reduce an organization’s risk of an APT compromise. Renamed SP 800-172, the draft was released in July 2020 for a public comment period.
After public comment, the final version of SP 800-172 was released earlier this month to provide private companies, industry and academia “additional recommendations for handling CUI in situations where that information runs a higher than usual risk of exposure. CUI includes a wide variety of information types, from individuals’ names or Social Security numbers to critical defense information.”
Though some of the content is a little different in the final version, there were no significant changes from the draft. Fifteen controls still overlap with the proposed practices in Levels 4 and 5 of the (CMMC), and although some of the practices are no longer word-for-word identical to the controls in NIST SP 800-172, the few differences are minor.
“There are also a number of 800-172 controls that weren’t included in the latest version of the CMMC model,” said Josh O’Sullivan, Ardalyst’s chief technology officer. “It is possible they will eventually be incorporated into levels 4 or 5.”
Comments made by Stacy Bostjanick, the DoD’s acting director for supply chain risk management, during an interview with Inside Cybersecurity suggest that’s the plan. Though released along with the requirements for Levels 1-3 in CMMC v1.02, requirements for Levels 4 and 5 are still being fully developed.
O’Sullivan also suggested that maybe 800-172 will stand alone as an additional standard to follow for those that recognize even CMMC Level 5 is only a minimum set of requirements for safeguarding against nation-state APTs.
“High-tier threats will spend billions of dollars to develop new tactics, techniques and procedures, or TTPs, that introduce new vulnerabilities to information systems,” he said. “The draft Levels 4 and 5 controls are a great starting guide to help contractors mature their cybersecurity programs to meet these ever-evolving advanced threats, but maintaining that resilience will require further maturity.”
According to the press release, NIST originally developed the enhanced requirements in response to the Chinese government’s 2018 hack of a third-party contractor, during which a large amount of highly sensitive data on undersea warfare from the U.S. Navy was stolen. The most recent update and subsequent publication of 800-172 supports the conviction that cybersecurity practices must evolve to keep ahead of the continuously evolving TTPs advanced adversaries implement as they attempt to penetrate U.S. defenses.
It may be hard to believe now, but even CMMC Level 5 will be a minimum standard for some contracts and is not yet a program for all parts of government. With NIST SP 800-172 finalized, it provides an official standard for government contracts to go beyond NIST 800-171 and CMMC.