The Inner Circle

Hi All,

NIST is seeking comments on Draft NIST Special Publication (SP) 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171. This is a final public draft.

The public comment period ends on August 21, 2020. See the publication details for a copy of the document and instructions on submitting comments.

Details

Draft NIST Special Publication (SP) 800-172 (formerly Draft NIST SP 800-171B) provides enhanced security requirements to help protect the confidentiality, integrity, and availability of Controlled Unclassified Information (CUI) associated with critical programs or high-value assets in nonfederal systems and organizations from the advanced persistent threat (APT). The APT is an adversary that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using both cyber and physical attack vectors. The objectives include establishing and extending footholds within the infrastructure of the targeted organizations for the purposes of exfiltrating information; undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The APT pursues its objectives repeatedly over an extended period, adapts to defenders' efforts to resist it, and is determined to maintain the level of interaction needed to execute its objectives.

The enhanced security requirements provide the foundation for a new multidimensional, defense-in-depth protection strategy through (1) penetration-resistant architecture, (2) damage-limiting operations, and (3) designing for cyber resiliency and survivability that support and reinforce one another while providing resiliency against the APT.  This strategy recognizes that despite the best protection measures implemented by organizations, the APT may find ways to breach those primary boundary defenses and deploy malicious code within a defender's system. When this situation occurs, organizations must have access to additional safeguards and countermeasures to outmaneuver, confuse, deceive, mislead, and impede the adversary-that is, take away the adversary's tactical advantage and protect and preserve the organization's critical programs and high-value assets.

The enhanced security requirements, as identified and selected by a federal agency, can be implemented in addition to the basic and derived requirements in NIST SP 800-171 since those requirements are not designed to fully address high-end threats such as the APT. The enhanced security requirements apply only to the components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components when the designated CUI is associated with a critical program or high-value asset.

Based on feedback received during the public comment period, the final draft of this publication includes:

• Updated scoping and applicability guidance;
• A more flexible requirements selection approach to allow implementing organizations to customize their security solutions.
• The addition of assignment and selection statements to certain requirements to give organizations the flexibility to establish specific parameter values, where appropriate.
• The addition of adversary threat effects to show how each enhanced security requirement can influence the cyber attack chain.

Your feedback on this draft publication is important to us. We appreciate each contribution from our reviewers. The very insightful comments from both the public and private sectors, nationally and internationally, continue to help shape the final publication to ensure that it meets the needs and expectations of our stakeholders.

The public comment period for this draft is open through August 21, 2020. We encourage reviewers to use the comment template for organizing and submitting comments.

------------------------------
Michael Roza CPA, CISA, CIA
------------------------------

@Hi Mr. Michael Roza,

If i can give my opinion, i think there might be some informations missing in the key mechanics about Non Federal or not, data is used as a source and will be shared consequentially. Fact is there is some basics now that we might assume in compliance with the GDPR for example with a cloud interface where now is every man for himself, and sorry about this comparaison but the current situation is clearly as follow. Many group are making own and moderate to private if we can say, rules, where in reality or idealy what should be a globalisation mentoring and participating valuable council.
By more comprehension to the subject we can clarify the point to not only set policies and compliance on highly valuable informations or based on a specific policies, instead we should consider it at a more standard level but raise quality compliance and onboarding the assessments at the same time of more cooperation in between non federate corporation for example or small, medium, interesting parties to key stakeholders. Another important part to consider, is to enable and show data as open-source in multidisciplinary instance this need to be considered since current time will have many improvements in the IOT World just to mention this one, while other objections and policies will be elaborated. Where is a must to start doing there Bureau of Quality in terms of all this transition and technology.

Well, i found it pretty short.
I hope it will help, if there is anything i can help with, feel free to reach out. 
Regards,

------------------------------
Armand Jr Brunelle
------------------------------

Original Message:
Sent: Jul 06, 2020 01:50:44 PM
From: Michael Roza
Subject: Enhanced Security Requirements for Protecting CUI: NIST Seeks Public Comments on Draft SP 800-172

Hi All,

NIST is seeking comments on Draft NIST Special Publication (SP) 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171. This is a final public draft.

The public comment period ends on August 21, 2020. See the publication details for a copy of the document and instructions on submitting comments.

Details

Draft NIST Special Publication (SP) 800-172 (formerly Draft NIST SP 800-171B) provides enhanced security requirements to help protect the confidentiality, integrity, and availability of Controlled Unclassified Information (CUI) associated with critical programs or high-value assets in nonfederal systems and organizations from the advanced persistent threat (APT). The APT is an adversary that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using both cyber and physical attack vectors. The objectives include establishing and extending footholds within the infrastructure of the targeted organizations for the purposes of exfiltrating information; undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The APT pursues its objectives repeatedly over an extended period, adapts to defenders' efforts to resist it, and is determined to maintain the level of interaction needed to execute its objectives.

The enhanced security requirements provide the foundation for a new multidimensional, defense-in-depth protection strategy through (1) penetration-resistant architecture, (2) damage-limiting operations, and (3) designing for cyber resiliency and survivability that support and reinforce one another while providing resiliency against the APT.  This strategy recognizes that despite the best protection measures implemented by organizations, the APT may find ways to breach those primary boundary defenses and deploy malicious code within a defender's system. When this situation occurs, organizations must have access to additional safeguards and countermeasures to outmaneuver, confuse, deceive, mislead, and impede the adversary-that is, take away the adversary's tactical advantage and protect and preserve the organization's critical programs and high-value assets.

The enhanced security requirements, as identified and selected by a federal agency, can be implemented in addition to the basic and derived requirements in NIST SP 800-171 since those requirements are not designed to fully address high-end threats such as the APT. The enhanced security requirements apply only to the components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components when the designated CUI is associated with a critical program or high-value asset.

Based on feedback received during the public comment period, the final draft of this publication includes:

• Updated scoping and applicability guidance;
• A more flexible requirements selection approach to allow implementing organizations to customize their security solutions.
• The addition of assignment and selection statements to certain requirements to give organizations the flexibility to establish specific parameter values, where appropriate.
• The addition of adversary threat effects to show how each enhanced security requirement can influence the cyber attack chain.

Your feedback on this draft publication is important to us. We appreciate each contribution from our reviewers. The very insightful comments from both the public and private sectors, nationally and internationally, continue to help shape the final publication to ensure that it meets the needs and expectations of our stakeholders.

The public comment period for this draft is open through August 21, 2020. We encourage reviewers to use the comment template for organizing and submitting comments.

------------------------------
Michael Roza CPA, CISA, CIA
------------------------------