Overview of NIST 800-171b: 33 Enhanced Security Requirements to Help Protect DoD Contractors

Image

In early July, NIST released draft versions of two new publications: NIST SP 800-171 Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations and NIST SP 800-171B: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets. NIST explains that its “SP 800-171 Revision 2 provides minor editorial changes... There are no changes to the basic and derived security requirements.” On the other hand, NIST SP 800-171B is an entirely new publication that introduces 33 enhanced security requirements designed to help protect DoD contractors (specifically, their high-value-assets and critical programs including CUI) from modern attack tactics and techniques related to Advanced Persistent Threats (APTs). These sophisticated attacks are most often executed by nation-state-backed cyber-criminals whose goal is to steal data relevant to national security. DoD contractors that are considering implementing enhanced controls should note that “the enhanced security requirements are only applicable for a nonfederal system or organization when mandated by a federal agency in a contract, grant, or other agreement.” For those contractors that have received such a mandate, the control requirements have become significantly more robust, with a focus on the following three objectives:

1. Designing and implementing a penetration-resistant architecture
2. Implementation of damage limiting operations
3. Overall cyber-resiliency and survivability

These enhanced security requirements included within NIST 800-171B are generally more prescriptive than the controls found in NIST 800-171, and they call out individual steps that should be implemented to protect against the Advanced Persistent Threat. The enhanced security controls exist for 10 of the 14 control families in NIST 800-171R2. The majority can be broadly categorized into the following areas:

• Additional requirements for secure and resilient system and network architectures.
• Requirements for secure baseline configurations for systems, explicitly including IoT devices.
• Requirements for formal change control and configuration management processes.
• Requirements for a fully operational security operations center and mobile incident response team.
• Requirements for the use of threat intelligence, advanced analytics and monitoring, automation, cyber-deception and other components of a truly mature information security toolkit.

NIST and the Department of Defense acknowledge that the requirements put forth in NIST800-171B are complex, costly and time-consuming to implement properly. As such, explicit recommendations exist that contractors work with qualified third-party service organizations to provide coverage for those controls that the organization cannot, or will not, implement on its own. Contractors who work with the United States Department of Defense can no longer turn a blind-eye to these requirements as enforcement, and prosecution under the False Claims Act, is officially underway.

NIST 800-171B

1. Employ dual authorization to execute critical or sensitive system and organizational operations.
2. Restrict access to systems and system components to only those information resources that are owned, provisioned or issued by the organization.
3. Employ secure information transfer solutions to control information flows between security domains on connected systems.
4. Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.
5. Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training and their supervisors.
6. Establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components.
7. Employ automated mechanisms to detect the presence of misconfigured or unauthorized system components and remove the components or place the components in a quarantine or remediation network that allows for patching, reconfiguration or other mitigations.
8. Employ automated discovery and management tools to maintain an up-to-date, complete, accurate and readily available inventory of system components.
9. Identify and authenticate systems and system components before establishing a network connection using bidirectional authentication that is cryptographically based and replay resistant.
10. Employ password managers for the generation, rotation and management of passwords for systems and system components that do not support multifactor authentication or complex account management.
11. Employ automated mechanisms to prohibit system components from connecting to organizational systems unless the components are known, authenticated, in a properly configured state or in a trust profile.
12. Establish and maintain a full time security operations center capability.
13. Establish and maintain a cyber incident response team that can be deployed to any location identified by the organization within 24 hours.
14. Conduct enhanced personnel screening (vetting) for individual trustworthiness and reassess individual trustworthiness on an ongoing basis.
15. Ensure that organizational systems are protected whenever adverse information develops regarding the trustworthiness of individuals with access to CUI.
16. Employ threat intelligence to inform the development of the system and security architectures, selection of security solutions, monitoring, threat hunting and response and recovery activities.
17. Establish and maintain a cyber threat hunting capability to search for indicators of compromise in organizational systems and detect, track and disrupt threats that evade existing controls.
18. Employ advanced automation and analytics capabilities to predict and identify risks to organizations, systems or system components.
19. Document or reference in the system security plan the risk basis for security solution selection and identify the system and security architecture, system components, boundary isolation or protection mechanisms and dependencies on external service providers.
20. Assess the effectiveness of security solutions at least annually to address anticipated risk to the system and the organization based on current and accumulated threat intelligence.
21. Assess, respond to and monitor supply chain risks associated with organizational systems
22. Develop and update as required a plan for managing supply chain risks associated with organizational systems.
23. Conduct penetration testing at least annually, leveraging automated scanning tools and ad hoc tests using human experts.
24. Employ diverse system components to reduce the extent of malicious code propagation.
25. Disrupt the attack surface of organizational systems and system components through unpredictability, moving target defense or non-persistence.
26. Employ technical and procedural means to confuse and mislead adversaries through a combination of misdirection, tainting or disinformation.
27. Employ physical and logical isolation techniques in the system and security architecture.
28. Employ roots of trust, formal verification or cryptographic signatures to verify the integrity and correctness of security critical or essential software.
29. Monitor individuals and system components on an ongoing basis for anomalous or suspicious behavior.
30. Ensure that Internet of Things (IoT), Operational Technology (OT) and Industrial Internet of Things (IIoT) systems, components and devices are compliant with the security requirements imposed on organizational systems or are isolated in purpose specific networks.
31. Refresh organizational systems and system components from a known, trusted state at least twice annually.
32. Conduct periodic reviews of persistent organizational storage locations and purge CUI that is no longer needed consistent with federal records retention policies and disposition schedules.
33. Use threat indicator information relevant to the information and systems being protected and effective mitigations obtained from external organizations to inform intrusion detection and threat hunting.

About the Author:

Image

Scott Goodwin is an IT Audit and Security Supervisor with OCD Tech. He graduated with a Bachelor of Science in Physics from the University of Massachusetts. His primary engagements are IT vulnerability assessments, penetration tests, NIST 800-53 and 800-171 assessments, and security advisory services. He is also conducting ongoing research projects related to open source intelligence and vulnerability analysis. You can follow Scott on Twitter, LinkedIn or on OCD Tech’s blog. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.