A new supplement to the National Institute of Standards and Technology (NIST) 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” is on the way. The proposed supplement 800-171B adds 35 new requirements that go alongside the 110 controls in 800-171rev2.
Supplement B applies to companies that receive controlled unclassified information (CUI) as part of a ‘critical program’ (CP) or a high value asset (HVA). How do you know if your company falls into either of these categories? It will be spelled out in you your contract or purchase order from the government or government contractor(s). The DoD estimates that there are 69,000 contractors that possess CUI, and that only 80 contractors (.5% of DoD contractors) will be subject to these enhanced security controls, however all of these are first tier contractors that hold the contracts, but there are a large amount of subcontractors of that contractor. The primary contractor will be responsible for enforcement on its subs. NIST is also beginning work on rev3 of 800-171 which will have ‘substantive changes’ from rev 2. It is highly likely that supplement B’s enhanced security controls will filter into rev3, which will apply to a much broader group.
The 35 new requirements fall into 3 categories:
- Penetration resistant architecture
- Damage limiting operations
- Designing for cyber resiliency and survivability
Highlights of the new controls include:
- More multi-factor authentication
- Better awareness training
- Stronger configuration management
- Stronger encryption standards
- A full-time SOC and Incident Response team is required
- Reassessing background checks on an ongoing basis
- Use of threat intelligence in risk assessment
- Ongoing threat hunting within the systems
- More isolation tactics to reduce risk (micro segmentation – zero trust)
- Anomalous behavior detection
While the new requirements may not apply to you today, it is a great way to foresee the future of security controls at a minimum and to think about how your organization would respond to these things if you were required by a compliance or regulation. Foresite can help with many of these requirements, including assessing your current posture. If you are one of the few that will have to be concerned with this immediately, the SP is in draft form and open for comment. The public comment period will be open until July 19, 2019 and comments can be submitted to NIST via email to sec-cert@nist.gov.