NIST 171B Suggests Heightened Cybersecurity Requirements for Critical Programs and High Value Assets
Cybersecurity within the defense industrial base has been the subject of significant media attention. Recently, the Washington Post reported that hackers employed by the Chinese Ministry of State Security targeted a Rhode Island company working on the Navy’s “Sea Dragon” program. The Post reported that these hackers exfiltrated 614 gigabytes of data. A Navy spokesman explained, “There are measures in place that require companies to notify the government when a ‘cyber incident’ has occurred that has actual or potential adverse effects on their networks that contain controlled unclassified information.”
The Department of Defense is stressing the importance of protecting controlled unclassified information (CUI) with greater urgency than ever before. The risk was formally recognized in 2010 when President Obama signed Executive Order 13556. This order gave rise to the cybersecurity standards required for nonfederal systems known as NIST 800-171. With 110 separate requirements separated into 14 “families” of cybersecurity requirements, NIST 800-171 is a broad framework for cybersecurity. A common concern amongst those in the government contracting space is the exceptionally fluid nature of the cybersecurity space. Contractors must confront a bombardment of threats, many of which take advantage of cyber vulnerabilities not yet realized commercially. Furthermore, the likelihood that threats are already present and hidden in contractor systems makes cybersecurity vulnerabilities especially difficult to confront. Recent events like the Sea Dragon hack illustrate the need for more robust standards beyond the baseline established by 800-171 for the most critical unclassified information. With the need for greater protection of these assets in mind, the National Institute for Standards and Technology has promulgated a draft of NIST 800-171B.
With 171B’s proposed heightened security criteria, NIST seeks to protect nonfederal infrastructure storing classified information for critical programs and high-value assets against advanced cyber threats. The draft of 171B proposes applying 32 additional controls to critical programs and high-value assets, supplementing the initial 110. Pursuant to OMB Memorandum M-19-03, an agency may designate Federal information as a high value asset if it has a high informational value, it is mission essential, or it is federal civilian enterprise essential. NIST created the draft of 171B with what they call the advanced persistent threat (APT) in mind. The APT is an adversary that possesses “sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors including cyber, physical, and deception.” In other words, NIST’s new requirements are aimed at those who play the long game in cyber warfare, establishing footholds in targeted infrastructure to be levied in the future. To combat the APT, the draft provides a foundation grounded in three components: (1) penetration resistant architecture, (2) damage limiting operations, and (3) designing for cyber resiliency and survivability. NIST organized the draft requirements into the 14 families outlined in NIST 800-171, but did not put new requirements within contingency planning, system, and services acquisition, and planning families for reasons of scope.
The draft stresses that the new enhanced requirements apply only to the components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for those components when the designated CUI is contained in a critical program or high-value asset. However, if the new requirements apply, NIST’s stated examples of components suggest a broad range of technologies. NIST specifically mentions mainframes, workstations, servers, input and output devices, cyber-physical components, network components, mobile devices, operating systems, virtual machines, and applications as included under the term components.
Generally, NIST explained that the requirements focus on nine key elements essential to addressing advanced persistent threats. These elements are:
- Applying a threat-centric approach to security requirements specification;
- Employing alternative system and security architectures that support logical and physical isolation using system and network segmentation techniques, virtual machines, and containers;
- Implementing dual authorization controls for the most critical or sensitive operations;
- Limiting persistent storage to isolated enclaves or domains;
- Implementing a comply-to-connect approach for systems and networks;
- Extending configuration management requirements by establishing authoritative sources for addressing changes to systems and system components;
- Periodically refreshing or upgrading organizational systems and system components to a known state or developing new systems or components;
- Employing a security operations center with advanced analytics to support continuous monitoring and protection of organizational systems; and
- Using deception to confuse and mislead adversaries regarding the information they use for decision making, the value and authenticity of the information they attempt to exfiltrate, or the environment in which they are operating.
Ron Ross, one of the authors of the draft, acknowledged the burden of applying these new requirements but emphasized that the requirements would only apply to a small percentage of programs and assets. The determination of when these requirements would need to apply would be left to the federal departments and agencies. At the same time, Ross suggested that companies outside the world of government contracting could benefit from applying these protections voluntarily. Although these requirements are aimed at protecting particularly critical CUI, it is essential to think about them with an eye on the future of cybersecurity. In such a dynamic threat environment, it is possible that parts of NIST 800-171B, if adopted, could potentially be applied across the board either as a requirement or as voluntary due diligence as the need for greater protections increases over time.