NIST Proposes Draft Enhanced Security Requirements for Protecting CUI

Sheppard Mullin Richter & Hampton LLP

NIST recently released the final public draft of SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (formerly Draft NIST SP 800-171B). NIST is proposing additional security requirements for certain CUI in non-federal systems that is associated with critical programs or high value assets and is soliciting public comments through August 21, 2020.

The enhanced security requirements focus on promoting (1) penetration-resistant architecture, (2) damage-limiting operations, and (3) designs to achieve cyber resiliency and survivability. While these requirements apply to critical programs and high value assets, NIST did not include guidance on determining which organizational programs or assets fall under these categories. Such determinations will be left to organizations/agencies mandating the use of the enhanced security requirements and such organizations should look to applicable laws, executive orders, directives, regulations or policies.

NIST envisions that federal agencies can implement these enhanced security requirements comprehensively or they may select a subset of requirements as a part of their risk management strategy. Federal contractors can expect that agencies may contractually require certain enhanced security requirements contained in the publication regarding the handling of CUI.

The enhanced security requirements themselves are derived from the security controls in SP 800-53, which focuses on the security of government systems, and are particularly focused on the following elements, which are essential for addressing advanced persistent threats:

  • Applying a threat-centric approach to security requirements specification;
  • Employing alternative system and security architectures that support logical and physical isolation using system and network segmentation techniques, virtual machines, and containers
  • Implementing dual authorization controls for the most critical or sensitive operations;
  • Limiting persistent storage to isolated enclaves or domains;
  • Implementing a comply-to-connect approach for systems and networks;
  • Extending configuration management requirements by establishing authoritative sources for addressing changes to systems and system components;
  • Periodically refreshing or upgrading organizational systems and system components to a known state or developing new systems or components;
  • Employing a security operations center with advanced analytics to support continuous monitoring and protection of organizational systems; and
  • Using deception to confuse and mislead adversaries regarding the information they use for decision-making, the value and authenticity of the information they attempt to exfiltrate, or the environment in which they are operating.

Putting it Into Practice: While not finalized yet, companies that contract with the federal government and have access to CUI associated with critical programs or high value assets should consider how these enhanced security requirements may affect their operations. NIST is accepting comments from the public on SP 800-172 until August 21, 2020.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP
Contact
more
less

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.