NIST SP 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft)
Comments are due by August 21, 2020.
Please see https://csrc.nist.gov/publications/detail/sp/800-172/draft for more information, the draft publication, and directions for submitting comments.
“In certain situations, CUI may be associated with a critical program6 or a high value asset7. These critical programs and high value assets are potential targets for the advanced persistent threat (APT). An APT is an adversary or adversarial group that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors, including cyber, physical, and deception. The APT objectives include establishing footholds within the infrastructure of the targeted organizations for purposes of exfiltrating information; undermining or impeding critical aspects of a mission, functions, program, or organization; or positioning itself to carry out these objectives in the future. The APT pursues its objectives repeatedly over an extended period, adapts to defenders’ efforts to resist it, and is determined to maintain the level of interaction needed to execute its objectives. While the category of CUI itself does not require greater protection, CUI associated with critical programs or high value assets is at greater risk because the APT is more likely to target such information and therefore requires additional protection.
6 The definition of a critical program may vary from organization to organization. For example, the Department of Defense defines a critical program as a program which significantly increases capabilities and mission effectiveness or extends the expected effective life of an essential system/capability [DOD ACQ].
7 See [OMB M-19-03] and [OCIO HVA].”
-NIST SP 800-172 (Daft) Lines 223-235