In recently released special publication 800-172, the National Institute for Standards and Technology (NIST), details enhanced security requirements for controlled unclassified information (CUI) for non-federal systems and organizations. The final version, released on February 2nd, 2021, contains information for protecting the confidentiality, integrity, and availability of CUI associated with critical programs or high-value assets.
Purpose of NIST SP 800-172
NIST 800-172 supplements the requirements that have been in place as described in NIST SP 800-171, the standard under DFARS 252.204-7012. It provides 35 enhanced security requirements designed to safeguard CUI from cybercriminals whose intent is to infiltrate systems to steal national security-related data.
It does not contain guidance to determine high value to critical organizational programs or assets. Instead, the organizations maintain discretion for those that mandate the enhanced security requirements. This determination of which CUIs to include is specified in part or whole, resulting in contracts that may not entirely contain the controls specified in 800-172. However, for the sake of expediency, it is likely that 800-172 will cover contracts entirely rather than individual components.
NIST 800-172 and Federal Acquisitions Regulations
The Federal Acquisition Regulation (FAR) system was originally established in 1979 and has 15 safeguarding requirements on how businesses protect Federal Contract Information (FCI). Federal agencies as well as those that the government contracts maintain FAR-regulated policies. The Defense Federal Acquisition Regulation Supplement (DFARS) 7012, administered by the Department of Defense (DoD), established more stringent standards for protecting covered defense information.
Under the DFARS clause, all government contractors must comply with NIST 800-171. This consists of 110 controls to safeguard them from cyberattacks. The DFARS process for NIST 800-171 relies on a self-certification process through system security plans and milestones (POAM). Further, companies that failed to complete the certification process remain liable for damages through the False Claims Act (FCA).
CMMC and NIST 800-172
The Cybersecurity Maturity Model Certification (CMMC) was introduced in January 2021 with DFARS clause 7021 as a standard for the implementation of cybersecurity across the Defense Industrial Base (DIB). This required defense supply chain contractors to submit a self-certification to the DoD’s supplier performance risk system prior to receiving any new contracts or contract renewals.
CMMC uses a maturity model comprised of five tiered certification levels. Each reflects the ability of the contracting company to safeguard CUI. The technical requirements are increasingly stringent at each level, with the fifth level mandating the most rigorous security safeguards.
Levels one and two of the CMMC primarily focus on protecting FCI and are largely based on FAR. Levels three through five focus on protecting CUI, which fall under DFARS 7012 and 7021 and International Traffic in Arms Regulations (ITAR). Further, these requirements include the 110 controls described in NIST 800-171.
As a supplement to NIST 800-171, NIST 800-172 is a separate initiative containing additional recommendations for protecting against sophisticated advanced persistent threats (APTs) with 35 controls. However, unlike NIST 800-171, NIST 800-172 will be specified in individual contracts with assets considered high-value targets. This includes practices that exist within CMMC levels four and five.
NIST 800-172 also can be used with only individual controls being specified within a contract for suppliers working on high-value programs within CMMC level three organizations. As a result, they add additional controls without forcing them into levels three and higher.
Enhanced Security Requirements
NIST 800-172 does not function independently similar to how DFARS builds on FAR. Instead, it builds on the basic requirements of NIST 800-171. In NIST 800-172’s enhanced security requirements, the three mutually supportive and reinforcing components are penetration-resistant architecture (PRA), damage-limiting operations (DLO), and designing for cyber resiliency and survivability. This enhanced strategy is described in brutal detail in NIST 800-16-2.
These strengthened security strategies underscore the possibility that APTs attempt sophisticated measures. Should this occur, organizations must protect critical programs and high-value assets through the countermeasures of detecting, outmaneuvering, confusing, deceiving, misleading, and impeding the attack. These actions counteract the adversary’s tactical advantage while protecting the organization’s critical programs and high-value assets.
The enhanced requirements ensures someone easily understands the alignment with other NIST publications, particularly that of NIST 800-171. For example, the control numbers in NIST 800-171 are aligned with those used in 800-172. The “e” designation after the number specifies that the addition is an enhanced control. Additionally, the publication outlines which protection strategies are affected and enhanced by the control out of the three described above. Finally, the five groups of adversarial effects are also detailed as referenced in NIST 800-160-2.
Controls Built From NIST 800-171
Beginning with control 3.1.1 in NIST 800-171, the enhanced control in NIST 800-172 3.1.1e requires multi-factor authentication (MFA). In 3.2.1e, basic security training requirements expand to include social engineering, advanced persistent threat actors, breaches, and suspicious behaviors. It also updates training when there are significant changes to the nature of the threat. Finally, 3.11.2e adds the need to perform actual threat hunting activities in the environment, such as the “must-do” MFA. Advanced capabilities that may lie beyond the scope of smaller defense contractors support the decision to allow those agencies to implement individual contract controls as necessary.
An In-Depth Look at Protection Strategies
NIST 800-160, volume 2, covers protection strategies extensively, and provides the pillars of NIST 800-172. While NIST 800-160 is over 200 pages, professionals recommend a review of the publication with special attention to Appendix J. This section describes how cyber resiliency would have played out in the 2015 and 2016 attacks on the Ukrainian power grid and how a security framework would have resulted in limited damage.
The protection strategies outlined in NIST 800-172:
- Penetration-resistant architecture – The architecture must use technology and procedures to limit the opportunities for an adversary to compromise the system. More than half of the 35 controls in 800-72 impact the architecture’s creation and security.
- Damage limiting operations – Focused on detecting compromises and limiting the effect of both detected and undetected system compromises.
- Cyber resiliency and survivability – The ability to anticipate, withstand, and recover from an attack.
The adversarial effects listed in the controls support each of these strategies.
Five high-level desired effects on adversaries and attackers:
- Redirect – Deter, divert, deceive which includes technologies such as sandboxing, detonation chambers, honeypots, and other practices like tainting that use deliberately misleading systems’ information to lure attackers away from the real CUI.
- Preclude – Expunge, preempt, negate. The goal is to ensure that the threat does not have the attacker’s desired outcomes.
- Impede – Contain, degrade, delay, exert. Actions that make it more difficult for threat events to cause negative consequences.
- Limit – Shorten or reduce the degree of damage from a threat event.
- Expose – Detect, scrutinize, reveal. This not only includes threat hunting but also participating in threat intelligence data feeds.
Each of these adversarial effects breaks down into 15 specific impacts on risk and expected results. These effects are described in detail in NIST 800-160.
Government contractors and partners with systems that handle sensitive information are continually vulnerable to adversarial attacks. The recently released NIST 800-172 publication details how administrators can implement enhanced security practices to help prevent and mitigate the risks. Knowing what occurs before, during, and after a cybersecurity event is imperative to protecting CUI at all costs.
Agile IT can help your company implement best-in-class security policies and tools. Contact us for more information on our dedicated cybersecurity resources.