The National Institute for Standards and Technology released the draft of NIST Special Publication 800-172 (“NIST SP 800-172”) on July 6, 2020.  This draft special publication succeeds the prior draft NIST SP 800-171B that NIST published in June 2019, and operates as a supplement to the NIST SP 800-171 controls that federal contractors generally must comply with in order to transmit, process, and store Controlled Unclassified Information (“CUI”).

Like the draft of NIST SP 800-171B released last year that it replaces, the publication recognizes that the basic and derived security controls in NIST SP 800-171 are “not designed to address APTs [Advanced Persistent Threats].”  As the publication notes,  “the APT may find ways to breach and/or compromise boundary defenses and deploy malicious code within a defender’s system.”  Thus, the additional safeguards in NIST SP 800-172 are meant to “outmaneuver, confuse, deceive, mislead, and impede the adversary—that is, take away the adversary’s tactical advantage and protect and preserve the organization’s critical programs and high value assets.”

Comments on the draft are due on August 21, 2020.

Approach to Security Controls

The controls in NIST SP 800-172 are built around a “multidimensional, defense-in-depth protection strategy that includes three mutually supportive and reinforcing components: (1) penetration-resistant architecture, (2) damage-limiting operations, and (3) designing for cyber resiliency and survivability.”  The enhanced security requirements are not tied to particular categories of CUI.  Instead, the requirements are focused on “designated high value assets or critical programs that contain CUI, as identified” by the agency to contractors.  Under this strategy, the enhanced security requirements focus on several areas that are intended to address the threat from APTs, including:

  • Applying a threat-centric approach to security requirements specification;
  • Employing alternative system and security architectures that support logical and physical isolation using system and network segmentation techniques, virtual machines, and containers;
  • Implementing dual authorization controls for the most critical or sensitive operations;
  • Limiting persistent storage to isolated enclaves or domains;
  • Implementing a comply-to-connect approach for systems and networks;
  • Extending configuration management requirements by establishing authoritative sources for addressing changes to systems and system components;
  • Periodically refreshing or upgrading organizational systems and system components to a known state or developing new systems or components;
  • Employing a security operations center with advanced analytics to support continuous monitoring and protection of organizational systems; and
  • Using deception to confuse and mislead adversaries regarding the information they use for decision-making, the value and authenticity of the information they attempt to exfiltrate, or the environment in which they are operating.

Application to Contractors

The enhanced security requirements described in the new NIST SP 800-172 draft are principally relevant to contractors for the following reasons.

First, the earlier version of this document, NIST 800-171B, formed the basis for many of the controls that contractors must comply with to obtain the highest certification levels — Levels 4 and 5 — of the forthcoming U.S. Department of Defense (“DoD”) Cybersecurity Maturity Model Certification (“CMMC”).  As we have discussed in previous blog posts, the CMMC will be DoD’s new standard for ensuring through external audits that Defense Industrial Base (“DIB”) contractors are compliant with applicable cybersecurity controls.  Thus, any changes to this policy may eventually affect the CMMC requirements that apply to DoD contractors.

Second, in some cases the standard may be more immediately relevant because an agency may direct contractors to comply with certain requirements in this guidance document.  This is especially true given that CMMC will be rolled out over the next 5 years and some agencies may want to apply these particular controls to a procurement even if not subject to CMMC requirements.  This can happen where a contractor stores “critical” or “high-value” unclassified information on behalf of the Government that may be susceptible to threats or attacks from APTs.  The guidance itself is clear that it is not intended to define critical or high-value information or assets or when particular threats or attack scenarios put this information or systems at risk, and that such determinations are left to the discretion of individual agencies.

Ensuring Compliance under Multiple Frameworks

In some cases, contractors may be subject to compliance with both Level 4 or 5 CMMC requirements (when the requirements are rolled out by DoD) and, particularly where a contractor may perform work for civilian agencies, a selection of NIST SP 800-172 requirements that are incorporated in one or more of the contractor’s contracts.  In this case, contractors should be mindful to compare carefully the requirements that exist under both frameworks.  Although the controls are similar under each framework, difference do exist as set forth in the table below.  One notable difference is the flexibility afforded to contractors though “assignment” and “selection” statements that have been added to NIST SP 800-172 “to give organizations the flexibility to establish specific parameter values, where appropriate.”  These flexibilities are not currently in the CMMC’s practices, and could lead to potential disparities if an effort is not made to adopt the most restrictive control.  Some examples are listed below:

Security Control CMMC Practice NIST SP 800-172 Control
Asset Management Employ a capability to discover and identify systems with specific component attributes (e.g., firmware level, OS type) within your inventory.  (C006, L4 – AM 4.226) Employ automated discovery and management tools to maintain an up-to-date, complete, accurate, and readily available inventory of system components.  (3.4.3e)
Awareness & Training Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat. (C011, L4 – AT.4059) Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training [Assignment: organization-defined frequency] or when there are significant changes to the threat. (3.2.1e)
Awareness & Training Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training.  (C011, L4 – AT.4060.) Include practical exercises in awareness training for [Assignment: organization-defined roles] that are aligned with current threat scenarios and provide feedback to individuals involved in the training and their supervisors.  (3.2.2e)
Configuration Management Verify the integrity and correctness of security critical or essential software as defined by the organization (e.g., roots of trust, formal verification, or cryptographic signatures).  (C014, L5 – CM.5074) Verify the integrity of [Assignment: organization-defined security critical or essential software] using root of trust mechanisms or cryptographic signatures.  (3.14.1e)
Incident Response Establish and maintain a security operations center capability that facilitates a 24/7 response capability.  (C018, L4 – IR 4.101) Establish and maintain a security operations center capability that operates [Assignment: organization-defined time period].  (3.6.1e)
Incident Response Establish and maintain a cyber incident response team that can investigate an issue physically or virtually at any location within 24 hours.  (C018, L5 – IR 5.108) Establish and maintain a cyber incident response team that can be deployed by the organization within [Assignment: organization-defined time period].  (3.6.2e)
Risk Management Employ threat intelligence to inform the development of the system and security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.  (C031, L4 – RM 4.150) Employ [Assignment: organization-defined sources of threat intelligence] as part of a risk assessment to guide and inform the development of organizational systems, security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.  (3.11.1e)
Risk Management Analyze the effectiveness of security solutions at least annually to address anticipated risk to the system and the organization based on current and accumulated threat intelligence.  (C032, L5 –  RM 5.155) Assess the effectiveness of security solutions [Assignment: organization-defined frequency] to address anticipated risk to organizational systems and the organization based on current and accumulated threat intelligence.  (3.11.5e)
Risk Management Develop and update as required, a plan for managing supply chain risks associated with the IT supply chain.  (C033, L4 – RM 4.148) Develop and update a plan for managing supply chain risks associated with organizational systems and system components.  (3.11.7e)
Security Assessment Conduct penetration testing periodically, leveraging automated scanning tools and ad hoc tests using human experts.  (C035, L4 – CA 4.164) Conduct penetration testing [Assignment: organization-defined frequency], leveraging automated scanning tools and ad hoc tests using human experts.  (3.12.1e)
Situational Awareness Establish and maintain a cyber threat hunting capability to search for indicators of compromise in organizational systems and detect, track, and disrupt threats that evade existing controls.  (C037, L4 – SA 4.171) Conduct cyber threat hunting activities [Selection (one or more): [Assignment: organization- defined frequency]; [Assignment: organization-defined event]] to search for indicators of compromise in [Assignment: organization-defined systems] and detect, track, and disrupt threats that evade existing controls.  (3.11.2e)
System & Information Integrity Use threat indicator information relevant to the information and systems being protected and effective mitigations obtained from external organizations to inform intrusion detection and threat hunting.  (C040, L4 – SI 4.221) Use threat indicator information and effective mitigations obtained from [Assignment: organization-defined external organizations] to guide and inform intrusion detection and threat hunting. (3.14.6e)
System & Information Integrity Monitor individuals and system components on an ongoing basis for anomalous or suspicious behavior.  (C042, L5 – SI 5.223) Monitor organizational systems and system components on an ongoing basis for anomalous or suspicious behavior.  (3.14.2e)

Conclusion

It is critical for contractors who handle high-value information on behalf of the Government to understand the NIST SP 800-172 framework and monitor its continuing evolution.  Those contractors who expect to obtain a Level 4 or 5 certification under the CMMC should evaluate how the CMMC practices may compare against any specific NIST SP 800-172 requirements that are incorporated into their contracts.  Contractors should also continue to monitor other statutory, regulatory, and policy developments and assess where their company stands against these frameworks to ensure that they remain eligible for work should they encounter any of these controls in the contracts that they compete for.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.

Photo of Ashden Fein Ashden Fein

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients…

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Additionally, Ashden assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security and insider risks. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Ashden currently serves as a Judge Advocate in the
U.S. Army Reserve.

Photo of Ryan Burnette Ryan Burnette

Ryan Burnette is a government contracts and technology-focused lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. Ryan has particular experience with defense and intelligence contracting, as well as with cybersecurity, supply chain…

Ryan Burnette is a government contracts and technology-focused lawyer that advises on federal contracting compliance requirements and on government and internal investigations that stem from these obligations. Ryan has particular experience with defense and intelligence contracting, as well as with cybersecurity, supply chain, artificial intelligence, and software development requirements.

Ryan also advises on Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) compliance, public policy matters, agency disputes, and government cost accounting, drawing on his prior experience in providing overall direction for the federal contracting system to offer insight on the practical implications of regulations. He has assisted industry clients with the resolution of complex civil and criminal investigations by the Department of Justice, and he regularly speaks and writes on government contracts, cybersecurity, national security, and emerging technology topics.

Ryan is especially experienced with:

  • Government cybersecurity standards, including the Federal Risk and Authorization Management Program (FedRAMP); DFARS 252.204-7012, DFARS 252.204-7020, and other agency cybersecurity requirements; National Institute of Standards and Technology (NIST) publications, such as NIST SP 800-171; and the Cybersecurity Maturity Model Certification (CMMC) program.
  • Software and artificial intelligence (AI) requirements, including federal secure software development frameworks and software security attestations; software bill of materials requirements; and current and forthcoming AI data disclosure, validation, and configuration requirements, including unique requirements that are applicable to the use of large language models (LLMs) and dual use foundation models.
  • Supply chain requirements, including Section 889 of the FY19 National Defense Authorization Act; restrictions on covered semiconductors and printed circuit boards; Information and Communications Technology and Services (ICTS) restrictions; and federal exclusionary authorities, such as matters relating to the Federal Acquisition Security Council (FASC).
  • Information handling, marking, and dissemination requirements, including those relating to Covered Defense Information (CDI) and Controlled Unclassified Information (CUI).
  • Federal Cost Accounting Standards and FAR Part 31 allocation and reimbursement requirements.

Prior to joining Covington, Ryan served in the Office of Federal Procurement Policy in the Executive Office of the President, where he focused on the development and implementation of government-wide contracting regulations and administrative actions affecting more than $400 billion dollars’ worth of goods and services each year.  While in government, Ryan helped develop several contracting-related Executive Orders, and worked with White House and agency officials on regulatory and policy matters affecting contractor disclosure and agency responsibility determinations, labor and employment issues, IT contracting, commercial item acquisitions, performance contracting, schedule contracting and interagency acquisitions, competition requirements, and suspension and debarment, among others.  Additionally, Ryan was selected to serve on a core team that led reform of security processes affecting federal background investigations for cleared federal employees and contractors in the wake of significant issues affecting the program.  These efforts resulted in the establishment of a semi-autonomous U.S. Government agency to conduct and manage background investigations.

Photo of Darby Rourick Darby Rourick

Darby Rourick advises defense and civilian contractors on a range of issues related to government contracting and has particular experience in federal cybersecurity and information technology supply chain issues. She has an active investigations practice and has experience representing clients in internal and…

Darby Rourick advises defense and civilian contractors on a range of issues related to government contracting and has particular experience in federal cybersecurity and information technology supply chain issues. She has an active investigations practice and has experience representing clients in internal and government investigations, including conducting witness interviews and managing government subpoena and CID responses. She also counsels clients on cybersecurity incident response; compliance with federal cybersecurity laws, regulations, and standards; supplier and subcontractor security issues; and cybersecurity related investigations.