In July, NIST released draft versions of two new publications: NIST SP 800-171 Revision 2: Protecting Controlled Unclassified Information in Non-federal Systems and Organizations and NIST SP 800-171B: Protecting Controlled Unclassified Information in Non-federal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets.
While NIST SP 800-171 Revision 2 sees little change, the new publication of NIST SP 800-171B has introduced 33 enhanced security requirements, “designed to protect DoD contractors (specifically, their high-value-assets and critical programs including CUI) from modern attack tactics and techniques related to Advanced Persistent Threats (APTs).”
“These enhanced security requirements included within NIST 800-171B are generally more prescriptive than the controls found in NIST 800-171, and they call out individual steps that should be implemented to protect against the Advanced Persistent Threat.”
Contractors and sub-contractors who work with the United States Department of Defense must review these new requirements and ensure their compliance where required, as enforcement under the False Claims Act is already underway.
The 33 enhanced security requirements outlined in the new draft publication are as follows…
- Employ dual authorization to execute critical or sensitive system and organizational operations.
- Restrict access to systems and system components to only those information resources that are owned, provisioned or issued by the organization.
- Employ secure information transfer solutions to control information flows between security domains on connected systems.
- Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches and suspicious behaviours; update the training at least annually or when there are significant changes to the threat.
- Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training and their supervisors.
- Establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components.
- Employ automated mechanisms to detect the presence of misconfigured or unauthorized system components and remove the components or place the components in a quarantine or remediation network that allows for patching, reconfiguration or other mitigations.
- Employ automated discovery and management tools to maintain an up-to-date, complete, accurate and readily available inventory of system components.
- Identify and authenticate systems and system components before establishing a network connection using bidirectional authentication that is cryptographically based and replay resistant.
- Employ password managers for the generation, rotation and management of passwords for systems and system components that do not support multifactor authentication or complex account management.
- Employ automated mechanisms to prohibit system components from connecting to organizational systems unless the components are known, authenticated, in a properly configured state or in a trust profile.
- Establish and maintain a full time Security Operations Center (SOC) capability.
- Establish and maintain a cyber incident response team that can be deployed to any location identified by the organization within 24 hours.
- Conduct enhanced personnel screening (vetting) for individual trustworthiness and reassess individual trustworthiness on an ongoing basis.
- Ensure that organizational systems are protected whenever adverse information develops regarding the trustworthiness of individuals with access to CUI.
- Employ threat intelligence to inform the development of the system and security architectures, selection of security solutions, monitoring, threat hunting and response and recovery activities.
- Establish and maintain a cyber threat hunting capability to search for indicators of compromise in organizational systems and detect, track and disrupt threats that evade existing controls.
- Employ advanced automation and analytics capabilities to predict and identify risks to organizations, systems or system components.
- Document or reference in the system security plan the risk basis for security solution selection and identify the system and security architecture, system components, boundary isolation or protection mechanisms and dependencies on external service providers.
- Assess the effectiveness of security solutions at least annually to address anticipated risk to the system and the organization based on current and accumulated threat intelligence.
- Assess, respond to and monitor supply chain risks associated with organizational systems
- Develop and update as required a plan for managing supply chain risks associated with organizational systems.
- Conduct penetration testing at least annually, leveraging automated scanning tools and ad hoc tests using human experts.
- Employ diverse system components to reduce the extent of malicious code propagation.
- Disrupt the attack surface of organizational systems and system components through unpredictability, moving target defense or non-persistence.
- Employ technical and procedural means to confuse and mislead adversaries through a combination of misdirection, tainting or disinformation.
- Employ physical and logical isolation techniques in the system and security architecture.
- Employ roots of trust, formal verification or cryptographic signatures to verify the integrity and correctness of security critical or essential software.
- Monitor individuals and system components on an ongoing basis for anomalous or suspicious behaviour.
- Ensure that Internet of Things (IoT), Operational Technology (OT) and Industrial Internet of Things (IIoT) systems, components and devices are compliant with the security requirements imposed on organizational systems or are isolated in purpose specific networks.
- Refresh organizational systems and system components from a known, trusted state at least twice annually.
- Conduct periodic reviews of persistent organizational storage locations and purge CUI that is no longer needed consistent with federal records retention policies and disposition schedules.
- Use threat indicator information relevant to the information and systems being protected and effective mitigations obtained from external organizations to inform intrusion detection and threat hunting.
Quotations taken from the following Tripwire article.