The National Institute of Standards and Technology (NIST) released a draft of a new publication offering additional guidance for securing Controlled Unclassified Information (CUI) in non-Federal systems, aimed at protecting high value assets from foreign adversaries.
Special Publication (SP) 800-171B is a companion publication to the existing SP 800-171 guidance, and offers additional recommendations for CUI at risk of an advanced persistent threat, especially in the defense industrial base.
“When CUI is part of a critical program or a high value asset – such as a weapons system – it can become a significant target for high-end, sophisticated adversaries. In recent years, these programs and assets have been subjected to an ongoing barrage of serious cyberattacks, prompting the Department of Defense to request additional guidance from NIST,” the agency noted in a news release.
The guidance includes 33 recommended requirements for information at the moderate level or above that may need additional protection. Those requirements sit on top of the 110 recommended requirements in SP 800-171, and map to the security controls in SP 800-53, with many of the requirements centering around system and information integrity, risk assessment, system and communication protection, and identification and authentication.
“The requirements have been influenced by several studies on the most effective methods for protecting the confidentiality and integrity of information (and CUI in particular) against cyber-attacks from advanced cyber threats and for ensuring the cyber resiliency of systems and organizations while under attack,” the draft notes.
Comments on the draft of the guidance are due by July 19.