The National Institute of Standards and Technology (NIST) has announced proposed changes to NIST Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The proposed changes are twofold: (1) making minor editorial changes and clarifications to existing SP 800-171, and (2) proposing enhanced security requirements for critical programs and high value assets to protect against the advanced persistent threat (APT) in a new publication, SP 800-171B. These proposals will not only affect the government contractors who are directly subject to the requirements through their agreements with the government, but may also ripple into the private sector. These proposals are open for public comment through August 2, 2019*.
Originally published in 2015, the NIST SP 800-171 controls are designed to set minimal security standards for government contractors that process, store, or transmit controlled unclassified information (CUI). The types of information that are considered CUI are listed in the CUI Registry and includes a wide range of information, from federal taxpayer information to critical defense information. The proposed revisions to SP 800-171, Revision 2 are minor editorial changes; no changes were proposed to the basic or derived security requirements. NIST has stated that a comprehensive update to SP 800-171 will be forthcoming in Revision 3.
However, NIST has proposed new rigorous security standards for nonfederal systems and organizations that either support critical programs or are part of high value assets – such as weapon systems – in its new publication, SP 800-171B. NIST’s SP 800-171B builds upon the security requirements laid out in SP 800-171. As the NIST SP 800-171 controls are frequently cited in private sector agreements as minimal requirements for vendors that process, store, or transmit an organizations’ data, the proposed controls will likely spread into other industries and impact vendors regardless of whether they contract with the government.
The new requirements in NIST 800-171B are meant to supplement (as opposed to take the place of) SP 800-171 and set a substantially higher bar for minimum security practices in applicable organizations as compared SP 800-171 more generally. Specifically, SP 800-171B adds 32 enhanced security requirements to the 110 security controls listed in SP 800-171, focusing on three main components: (1) a penetration resistant architecture; (2) damage limiting operations; and (3) designing systems for cyber resiliency and survivability. For example, NIST 800-171B adds the following three requirements to the existing controls related to access of CUI (further limiting access rights): (1) employ dual authorization to execute critical or sensitive system and organizational operations; (2) restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization; and (3) employ secure information transfer solutions to control information flows between security domains on connected systems.
For most companies, the enhanced requirements are likely more cost intensive than the general requirements of NIST SP 800-171. One cost intensive example of a new requirement is that organizations must establish and maintain a full-time security operations center and an incident response team that can deploy to any location within 24 hours. The proposal does provide that NIST will allow organizations to contract with third parties to meet these new standards rather than require the organizations to have the capability to meet the standards in-house.
Per SP 800-171B, organizations will only have to comply with SP 800-171B “when mandated by a federal agency in a contract, grant, or other agreement.” Thus, once SP 800-171B is finalized, organizations should review their agreements to determine if compliance is required. As mentioned above, private sector organizations are likely to increasingly require vendors to meet the heightened requirements for the organization’s own data that the organization deems highly sensitive – especially organizations with large volumes of sensitive data. Accordingly, and regardless of when NIST SP 800-171B is issued in final form, organizations that know they will likely be subject to these new requirements should begin thinking about how to implement them. Some of these requirements will require new technologies, trainings, and employees, so the sooner each organization creates an implementation plan and strategy, the smoother and more cost efficient the implementation will be.
To learn more about the proposals, or for assistance in providing a comment, contact any of the authors for more information.
*Editor's Note: Date updated on July 10, 2019.