Protecting Controlled Unclassified Information: Comment on Draft NIST SP 800-171 Rev. 2 and Draft NIST SP 800-171B (comment period ends July 19, 2019)

https://csrc.nist.gov/News/2019/draft-sp-800-171-rev-2-and-sp-800-171b

NIST is seeking comments on Draft NIST Special Publication (SP) 800-171 Revision 2Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and Draft NIST SP 800-171BProtecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets.

The public comment period for both publications ends on July 19, 2019. See the publication details for SP 800-171 Rev. 2 and SP 800-171B for document files and instructions on submitting comments.

Details

Draft NIST SP 800-171 Revision 2 provides minor editorial changes in Chapters One and Two, and in the Glossary, Acronyms, and References appendices. There are no changes to the basic and derived security requirements in Chapter Three. For ease of use, the Discussion sections, previously located in Appendix F (SP 800-171 Revision 1), have been relocated to Chapter Three to coincide with the basic and derived security requirements.

Draft NIST SP 800-171BProtecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets, was developed in the spring of 2019 as a supplement to NIST SP 800-171. This new document offers additional recommendations for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations where that information runs a higher-than-usual risk of exposure. When CUI is part of a critical program or a high value asset (HVA), it can become a significant target for high-end, sophisticated adversaries (i.e., the advanced persistent threat (APT)). In recent years, these critical programs and HVAs have been subjected to an ongoing barrage of serious cyberattacks, prompting the Department of Defense to request additional guidance from NIST.

The enhanced security requirements are to be implemented in addition to the basic and derived requirements in NIST SP 800-171, since the basic and derived requirements are not designed to address the APT. The enhanced security requirements apply only to components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components when the designated CUI is contained in a critical program or HVA. The enhanced security requirements are only applicable for a nonfederal system or organization when mandated by a federal agency in a contract, grant, or other agreement.

Director’s Corner

by Mark Bradley, Director, ISOO

The Wall Street Journal reported in its April 29, 2019, edition that American intelligence chiefs now believe that Chinese espionage is the most significant long-term threat facing the country. This threat encompasses traditional spy craft, which is aimed at stealing government secrets, and the theft of intellectual property and research from corporations and universities. China’s effort is being aided and abetted by oceans of stolen personal data, such as the heist in 2015 of more than 20 million files from the Office of Personnel Management. Counterintelligence experts believe that such grand scale thefts help Chinese intelligence officers pinpoint who may be the most vulnerable to recruitment.

The Information Security Oversight Office is the Executive Agent of the government’s Controlled Unclassified Information program. This program’s primary aim is to enhance the government’s protection of sensitive but unclassified information.