Nations around the world are adding cyberwarfare to their arsenals, employing highly skilled teams to launch attacks against other countries. These adversaries are also called the “advanced persistent threat,” or APT, because they possess the tools and resources to pursue their objectives repeatedly over an extended period, adapting to defenders’ efforts to resist them, NIST officials said.
"Vulnerable data includes the sensitive but unclassified information managed by government, industry and academia in support of various federal programs. Now, a finalized publication from the National Institute of Standards and Technology (NIST) provides guidance to protect such “controlled unclassified information” (CUI) from the APT. NIST’s Special Publication (SP) 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST SP 800-171, offers a set of tools designed to counter the efforts of state-sponsored hackers and complements another NIST publication aimed at protecting CUI."
The federal government relies heavily on nonfederal service providers to help carry out a wide range of missions using information systems — a term that includes computers, but also a range of other specialized technologies such as industrial control systems and the Internet of Things. The protection of sensitive federal information that resides in nonfederal systems — such as those used by state and local governments, colleges and universities, and independent research organizations — is of paramount importance, as it can directly impact the federal government’s ability to carry out its operations. A hack in 2018 that compromised sensitive information directly inspired the NIST team’s work on SP 800-172.
Formerly numbered SP 800-171B during its draft stages, SP 800-172 offers additional recommendations for handling CUI in situations where that information runs a higher than usual risk of exposure. CUI includes a wide variety of information types, from individuals’ names or Social Security numbers to critical defense information.
The enhanced security requirements are to be implemented in addition to those in SP 800-171, since that publication is not designed to address the APT. The requirements in SP 800-172 apply to the components of nonfederal systems that process, store or transmit CUI or that provide protection for such components. To further narrow the scope, the requirements are applied only when the designated CUI is associated with a critical program or high-value asset — the highest priority for protection, NIST said.
"Developed primarily for administrators such as program managers, CIOs and system auditors, the special publication addresses the protection of CUI for system components by promoting penetration-resistant architecture, damage-limiting operations, and designs to achieve cyber resiliency and survivability. Its tools, divided into 14 families, are not intended to be implemented en masse, but selected according to the needs of the organization.
"In response to feedback received during the public comment period, the final draft includes updated scoping and applicability guidance and a more flexible requirements selection approach to allow organizations to customize their security solutions," according to NIST.
The tools in the new publication should offer hope to anyone seeking to defend against hacks, even by as intimidating a threat as the APT, said Ron Ross, a computer scientist and a NIST fellow in the NIST news release.
“The adversaries are bringing their ‘A-game’ in these cyberattacks 24 hours a day, 7 days a week,” he said. “You can start making sure the damage is minimized if you use SP 800-172’s cyber safeguards.”