NIST is seeking comments on draft Special Publication (SP) 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST SP 800-171.
SP 800-172 outlines security requirements that organizations should consider to protect controlled unclassified information on critical or high value programs. The security requirements specifically apply to “nonfederal systems and organizations” facing an advanced persistent threat, or expert adversaries with significant resources.
The draft’s framework for security relies on a three-step approach: penetration-resistant architecture; damaging-limiting operations; and designing for cyber resiliency and survivability that support and reinforce one another. If an advanced persistent threat finds a way to breach these security measures, which NIST acknowledges is a possibility, organizations should have access to additional countermeasures to outmaneuver the adversary, the publication suggests.
Based on past feedback, NIST updated scoping and applicability guidance, provided a more flexible requirement section, added assignment and selection statements to certain requirements, and outlined adversary threat effects in the latest draft.
The agency is accepting comments through August 21.