NIST posts enhanced requirements for protecting CUI

In the wake of the SolarWinds Orion hack, the National Institute of Standards and Technology has published recommendations for enhanced security requirements that can help organizations protect controlled unclassified information (CUI) against nation-state backed threats.

The requirements in 800-172 largely fall into one of three categories: structuring systems to be resistant against malicious actors, improving an organization's ability to detect threats and mitigate potential damage and ensuring an organization can recover from an attack.

"Implementing the cyber safeguards in SP 800-172 will help system owners protect what state-level hackers have considered to be particularly high-value targets: sensitive information about people, technologies, innovation and intellectual property, the revelation of which could compromise our economy and national security," NIST Fellow Ron Ross said.

The document cites a 2018 incident in which Chinese government hackers stole sensitive data from a Navy contractor working on an anti-ship missile design as the reason for its work. But the connection to the SolarWinds hack is clear.

"These tools are absolutely relevant to preventing the next SolarWinds, both for the public- and private-sector hacks," said Blake Moore, formerly chief of staff for the Pentagon's CIO and now a vice president at Wickr. "Similar to the Navy hack of 2018, the SolarWinds breach highlighted the vital importance of securing federal networks against these advanced nation-states."

Moore said that although the SolarWinds Orion hack received more attention due to its scale, the remedies needed in the aftermath of SolarWinds and the 2018 Navy breach are similar. NIST's new publication provides a "roadmap" for how agencies of any size should counter "increasingly advanced tradecraft from nation-state actors," he said.

Sarah Powazek, an analyst at the Institute for Security and Technology, said that while the report's goal is the protection of controlled unclassified information, the recommendations all target "daily security operations of federal partners, suggesting that NIST may be equally concerned about the upstream effects of poor security."

"Tightening access controls for non-federal agencies would improve confidentiality of sensitive information but can also prevent the initial access for [advanced persistent threats] targeting government agencies," she said.

Kathryn Waldron, a cybersecurity fellow at the R Street Institute, emphasized that most of SolarWinds victims were private companies, not government agencies. NIST's new publication proves "just how desperately both government agencies and private companies need to change the way they think about cybersecurity," she said.

"Private organizations -- both companies and academic institutions -- that work with the government need to realize how appealing a target they are to countries that are looking to harm the United States," Waldron said.

Waldron also noted NIST's new guidelines come a few months after the intelligence community lobbied Trump White House to rescind an Obama-era executive order that established the Controlled Unclassified Information program.

A December memorandum sent to National Security Advisor Robert O'Brien by then Director of National Intelligence John Ratcliffe said the program poses "insurmountable hurdles" and has become "unsustainable," according to a letter published by the Federation of American Scientists.

"We have yet to see if the new DNI or the Biden administration feel the same way about the CUI program," Waldron said. "But the fact that federal intelligence agencies have struggled to comply with the CUI program could potentially hinder the rollout of these new guidelines."

This article was first posted to FCW, a sibling site to Defense Systems.