NIST recently released the final public draft of SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (formerly Draft NIST SP 800-171B). NIST is proposing additional security requirements for certain CUI in non-federal systems that is associated with critical programs or high value assets and is soliciting public comments through August 21, 2020.

The enhanced security requirements focus on promoting (1) penetration-resistant architecture, (2) damage-limiting operations, and (3) designs to achieve cyber resiliency and survivability. While these requirements apply to critical programs and high value assets, NIST did not include guidance on determining which organizational programs or assets fall under these categories. Such determinations will be left to organizations/agencies mandating the use of the enhanced security requirements and such organizations should look to applicable laws, executive orders, directives, regulations or policies.

NIST envisions that federal agencies can implement these enhanced security requirements comprehensively or they may select a subset of requirements as a part of their risk management strategy. Federal contractors can expect that agencies may contractually require certain enhanced security requirements contained in the publication regarding the handling of CUI.

The enhanced security requirements themselves are derived from the security controls in SP 800-53, which focuses on the security of government systems, and are particularly focused on the following elements, which are essential for addressing advanced persistent threats:

  • Applying a threat-centric approach to security requirements specification;
  • Employing alternative system and security architectures that support logical and physical isolation using system and network segmentation techniques, virtual machines, and containers
  • Implementing dual authorization controls for the most critical or sensitive operations;
  • Limiting persistent storage to isolated enclaves or domains;
  • Implementing a comply-to-connect approach for systems and networks;
  • Extending configuration management requirements by establishing authoritative sources for addressing changes to systems and system components;
  • Periodically refreshing or upgrading organizational systems and system components to a known state or developing new systems or components;
  • Employing a security operations center with advanced analytics to support continuous monitoring and protection of organizational systems; and
  • Using deception to confuse and mislead adversaries regarding the information they use for decision-making, the value and authenticity of the information they attempt to exfiltrate, or the environment in which they are operating.

Putting it Into Practice: While not finalized yet, companies that contract with the federal government and have access to CUI associated with critical programs or high value assets should consider how these enhanced security requirements may affect their operations. NIST is accepting comments from the public on SP 800-172 until August 21, 2020.