The National Institute for Standards and Technology released the draft of NIST Special Publication 800-172 (“NIST SP 800-172”) on July 6, 2020. This draft special publication succeeds the prior draft NIST SP 800-171B that NIST published in June 2019, and operates as a supplement to the NIST SP 800-171 controls that federal contractors generally must comply with in order to transmit, process, and store Controlled Unclassified Information (“CUI”).
Like the draft of NIST SP 800-171B released last year that it replaces, the publication recognizes that the basic and derived security controls in NIST SP 800-171 are “not designed to address APTs [Advanced Persistent Threats].” As the publication notes, “the APT may find ways to breach and/or compromise boundary defenses and deploy malicious code within a defender’s system.” Thus, the additional safeguards in NIST SP 800-172 are meant to “outmaneuver, confuse, deceive, mislead, and impede the adversary—that is, take away the adversary’s tactical advantage and protect and preserve the organization’s critical programs and high value assets.”
Comments on the draft are due on August 21, 2020.
Approach to Security Controls
The controls in NIST SP 800-172 are built around a “multidimensional, defense-in-depth protection strategy that includes three mutually supportive and reinforcing components: (1) penetration-resistant architecture, (2) damage-limiting operations, and (3) designing for cyber resiliency and survivability.” The enhanced security requirements are not tied to particular categories of CUI. Instead, the requirements are focused on “designated high value assets or critical programs that contain CUI, as identified” by the agency to contractors. Under this strategy, the enhanced security requirements focus on several areas that are intended to address the threat from APTs, including:
- Applying a threat-centric approach to security requirements specification;
- Employing alternative system and security architectures that support logical and physical isolation using system and network segmentation techniques, virtual machines, and containers;
- Implementing dual authorization controls for the most critical or sensitive operations;
- Limiting persistent storage to isolated enclaves or domains;
- Implementing a comply-to-connect approach for systems and networks;
- Extending configuration management requirements by establishing authoritative sources for addressing changes to systems and system components;
- Periodically refreshing or upgrading organizational systems and system components to a known state or developing new systems or components;
- Employing a security operations center with advanced analytics to support continuous monitoring and protection of organizational systems; and
- Using deception to confuse and mislead adversaries regarding the information they use for decision-making, the value and authenticity of the information they attempt to exfiltrate, or the environment in which they are operating.
Application to Contractors
The enhanced security requirements described in the new NIST SP 800-172 draft are principally relevant to contractors for the following reasons.
First, the earlier version of this document, NIST 800-171B, formed the basis for many of the controls that contractors must comply with to obtain the highest certification levels — Levels 4 and 5 — of the forthcoming U.S. Department of Defense (“DoD”) Cybersecurity Maturity Model Certification (“CMMC”). As we have discussed in previous blog posts, the CMMC will be DoD’s new standard for ensuring through external audits that Defense Industrial Base (“DIB”) contractors are compliant with applicable cybersecurity controls. Thus, any changes to this policy may eventually affect the CMMC requirements that apply to DoD contractors.
Second, in some cases the standard may be more immediately relevant because an agency may direct contractors to comply with certain requirements in this guidance document. This is especially true given that CMMC will be rolled out over the next 5 years and some agencies may want to apply these particular controls to a procurement even if not subject to CMMC requirements. This can happen where a contractor stores “critical” or “high-value” unclassified information on behalf of the Government that may be susceptible to threats or attacks from APTs. The guidance itself is clear that it is not intended to define critical or high-value information or assets or when particular threats or attack scenarios put this information or systems at risk, and that such determinations are left to the discretion of individual agencies.
Ensuring Compliance under Multiple Frameworks
In some cases, contractors may be subject to compliance with both Level 4 or 5 CMMC requirements (when the requirements are rolled out by DoD) and, particularly where a contractor may perform work for civilian agencies, a selection of NIST SP 800-172 requirements that are incorporated in one or more of the contractor’s contracts. In this case, contractors should be mindful to compare carefully the requirements that exist under both frameworks. Although the controls are similar under each framework, difference do exist as set forth in the table below. One notable difference is the flexibility afforded to contractors though “assignment” and “selection” statements that have been added to NIST SP 800-172 “to give organizations the flexibility to establish specific parameter values, where appropriate.” These flexibilities are not currently in the CMMC’s practices, and could lead to potential disparities if an effort is not made to adopt the most restrictive control. Some examples are listed below:
Security Control | CMMC Practice | NIST SP 800-172 Control |
Asset Management | Employ a capability to discover and identify systems with specific component attributes (e.g., firmware level, OS type) within your inventory. (C006, L4 – AM 4.226) | Employ automated discovery and management tools to maintain an up-to-date, complete, accurate, and readily available inventory of system components. (3.4.3e) |
Awareness & Training | Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat. (C011, L4 – AT.4059) | Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training [Assignment: organization-defined frequency] or when there are significant changes to the threat. (3.2.1e) |
Awareness & Training | Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training. (C011, L4 – AT.4060.) | Include practical exercises in awareness training for [Assignment: organization-defined roles] that are aligned with current threat scenarios and provide feedback to individuals involved in the training and their supervisors. (3.2.2e) |
Configuration Management | Verify the integrity and correctness of security critical or essential software as defined by the organization (e.g., roots of trust, formal verification, or cryptographic signatures). (C014, L5 – CM.5074) | Verify the integrity of [Assignment: organization-defined security critical or essential software] using root of trust mechanisms or cryptographic signatures. (3.14.1e) |
Incident Response | Establish and maintain a security operations center capability that facilitates a 24/7 response capability. (C018, L4 – IR 4.101) | Establish and maintain a security operations center capability that operates [Assignment: organization-defined time period]. (3.6.1e) |
Incident Response | Establish and maintain a cyber incident response team that can investigate an issue physically or virtually at any location within 24 hours. (C018, L5 – IR 5.108) | Establish and maintain a cyber incident response team that can be deployed by the organization within [Assignment: organization-defined time period]. (3.6.2e) |
Risk Management | Employ threat intelligence to inform the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities. (C031, L4 – RM 4.150) | Employ [Assignment: organization-defined sources of threat intelligence] as part of a risk assessment to guide and inform the development of organizational systems, security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities. (3.11.1e) |
Risk Management | Analyze the effectiveness of security solutions at least annually to address anticipated risk to the system and the organization based on current and accumulated threat intelligence. (C032, L5 – RM 5.155) | Assess the effectiveness of security solutions [Assignment: organization-defined frequency] to address anticipated risk to organizational systems and the organization based on current and accumulated threat intelligence. (3.11.5e) |
Risk Management | Develop and update as required, a plan for managing supply chain risks associated with the IT supply chain. (C033, L4 – RM 4.148) | Develop and update a plan for managing supply chain risks associated with organizational systems and system components. (3.11.7e) |
Security Assessment | Conduct penetration testing periodically, leveraging automated scanning tools and ad hoc tests using human experts. (C035, L4 – CA 4.164) | Conduct penetration testing [Assignment: organization-defined frequency], leveraging automated scanning tools and ad hoc tests using human experts. (3.12.1e) |
Situational Awareness | Establish and maintain a cyber threat hunting capability to search for indicators of compromise in organizational systems and detect, track, and disrupt threats that evade existing controls. (C037, L4 – SA 4.171) | Conduct cyber threat hunting activities [Selection (one or more): [Assignment: organization- defined frequency]; [Assignment: organization-defined event]] to search for indicators of compromise in [Assignment: organization-defined systems] and detect, track, and disrupt threats that evade existing controls. (3.11.2e) |
System & Information Integrity | Use threat indicator information relevant to the information and systems being protected and effective mitigations obtained from external organizations to inform intrusion detection and threat hunting. (C040, L4 – SI 4.221) | Use threat indicator information and effective mitigations obtained from [Assignment: organization-defined external organizations] to guide and inform intrusion detection and threat hunting. (3.14.6e) |
System & Information Integrity | Monitor individuals and system components on an ongoing basis for anomalous or suspicious behavior. (C042, L5 – SI 5.223) | Monitor organizational systems and system components on an ongoing basis for anomalous or suspicious behavior. (3.14.2e) |
Conclusion
It is critical for contractors who handle high-value information on behalf of the Government to understand the NIST SP 800-172 framework and monitor its continuing evolution. Those contractors who expect to obtain a Level 4 or 5 certification under the CMMC should evaluate how the CMMC practices may compare against any specific NIST SP 800-172 requirements that are incorporated into their contracts. Contractors should also continue to monitor other statutory, regulatory, and policy developments and assess where their company stands against these frameworks to ensure that they remain eligible for work should they encounter any of these controls in the contracts that they compete for.