Because cyber threats ceaselessly change, so do the protective measures agencies need to take. Cybersecurity guidelines from the National Institute of Standards and Technology (NIST) never stay static either. In fact, NIST is updating its guidelines in a crucial document known as special publication 800-171. Written help organizations protect sensitive, unclassified information. For the details, Federal Drive with Tom Temin spoke with NIST fellow Ron Ross.

Interview Transcript: 

Tom Temin I think we should call you Mr. Cybersecurity, too, because you have been associated with these documents for a long time now. 800-171 CUI, Controlled Unclassified Information, Secure Unclassified, whatever. There’s a lot of that data. What is the goal here for updating those guidelines?

Ron Ross Well, Tom, the special publication 800-171 was originally crafted by NIST back in 2015, and we were responding to requirements in an executive order that came out in 2010, and over the next several years, the executive order was updated. It has to do with, as you were saying, controlled unclassified information. This is information that is described by the federal government. It has certain requirements for protection that are based on a law or regulation or a governmentwide policy. So if you go to the National Archives and Records Administration website, NARA, they have a registry. There’s 82 different categories of information that are under the banner of controlled, unclassified information. So NIST job, in this particular case, we already had our control catalog in SP-800-53, which most of your listeners are well aware of. But we had to do some specific tailoring. This particular executive order focused on protecting control and classed information from unauthorized disclosure. The confidentiality was the real focus. So we took our original baseline of controls in 800-53, and we tailored them. We eliminated all the controls that weren’t specifically necessary to protect the confidentiality of CUI. So it’s been about eight years since the document was written. The threat space has changed dramatically in those eight years, and it’s just time for an update. And every time we update our control catalog in 800-53, we’re now in revision five of that document. We have to update all of the publications that depend on the control catalog for its source information.

Tom Temin Got it. And you have some specific things that have changed here, increased specificity for security requirements to remove ambiguity. So that’s something you would do, I guess any document as you read it again, and find things you would have done, could you? But are there any particular parameters that are important that are changing any specific controls or guidelines?

Ron Ross We’ve added several new requirements based on the update to 800-53, we have five. The requirements have gotten a little more specific, because we’re starting to move the language in 801-71 more toward the original language in 800-53, which is much more specific. When we have requirements, and the protections that we’re talking about now, we’re sending our federal controlled and class information over to the private sector nonfederal organizations. So all this information has a lot of value. Things like nuclear information, defense information, design, documentation for space and weapon systems, personal health information, personally identifiable information. All of this information has a lot of value. Some of it’s critical and very sensitive. It needs to have the same level of protection when it goes over the defense to the nonfederal systems and organizations. So we had to make the requirements as specific as we can, so we can set the appropriate expectation for the contractors. What do they actually have to do to make sure that information is protected appropriately? And then if there is an assessment of those requirements or controls to make sure they’ve been implemented correctly, that specificity helps the assessors to do that as well. You asked about some of the additional requirements. We have a couple. One comes from our moderate baseline 800-53, and that is a requirement for independent third-party assessments of the requirements that have been implemented. That’s a big one. The federal government needs to have assurance that these requirements are implemented correctly. The controls are operating as intended, and it’s supporting the security policy, which we have an effect on the federal side, which kind of transfers out to the private sector. There’s also a requirement for external service providers. So, for example, if the feds send a particular contractor controlled on that information, and they for some reason don’t have the resources to protect it and they outsource that to a third party. Then there’s a specific requirement that sets the exact same requirements on that third party. So even though indirectly the information is not in the contractor shop, now, it’s being protected by a third party. We have to make sure that that third party, that outsourcing, if you will, that organization is also protecting the information. It kind of goes all the way down the supply chain. There’s this requirement for adequate protection at every level.

Tom Temin We’re speaking with computer scientist Ron Ross. He’s a fellow at the National Institute of Standards and Technology. So in many ways. I don’t know which came first, the chicken or the egg, but the [Department of Defense (DoD’s)], [Cybersecurity Maturity Model Certification (CMMC)] program, even though it’s kind of nascent at this point, does also have that idea of the external assessor of the measures you’ve taken and the supply chain aspect in there. So are they following you? Are you trying to adapt to what you think CMMC will do?

Ron Ross Well, a lot of people think that the 171 document is part of the CMMC program. In reality, as I was saying, our first publication was back in 2015. That was many years before the DoD CMMC program came along. And CMMC is building out and they’re developing that program. As part of the DoD rollout. In some of their regulations. They’ve called out specific NIST publication, in this case 800-171, so when this writes a publication, our standards and guidelines our PIPS our standards are mandatory for all federal agencies, but our guidelines are not mandatory in this specifically call about an [Office of Management and Budget (OMB]) policy like A-130 that federal policy. So the 800-171, when it appears in a DoD program, a regulation for example, that really puts the force of the regulation behind that document. But the document that NIST. produces by itself, we’re not a regulatory organization. We don’t have those authorities. Our job is to write the technical guidelines, and then any federal agency can use those and point to those in any program that they’re developing, any regulation they may come out that would need to have those kinds of requirements. That’s kind of the relationship we have with the DoD CMMC program.

Tom Temin Sure, that’s a good thing to point out. And getting back to this specifically, the revision of 800-171, what’s the timeline here? You’re still open for comments and maybe a quick rundown on what generally you’re seeing in the comments that you’ve received.

Ron Ross Well, this is a really important update for this publication, revision 3 of 800-171. So the comment period goes for 60 days. It terminates on July 14, 2023. Our plan is to take all the comments, as we always do. Our publications, we really rely on our customers, both in the public and private sector, to give us that critical feedback. So the comments are trickling in now, but the majority come in toward the end of the comment period. Once we get all that information in, we’re going to look at every comment. We’re going to make the appropriate changes and we’re going to have a final public draft out sometime in the fall of 2023. I would say September timeframe in that area. Once that happens, then we will get the final set of comments and then we hope to publish the final publication very early in 2023. I’m thinking it’ll be the first quarter of the calendar year, 2023, hopefully in the January timeframe. We’re really pressing this publication. We want to make sure we get it out as quickly as possible, because there are sophisticated threats out there. The kind of information that we’re protecting in the CUI categories of information. Intellectual property is tied to technology, innovation, military systems, space systems. It’s some of the most sensitive information that we have as a country. If the information is compromised, it directly affects our national security and our economic security interests. So this is really a high priority publication. It has a huge footprint out there, because of the defense industrial base and all of the federal agencies that depend on the requirements for their contractors. So it’s just a top priority for us and we’re really moving as quickly as we can.

Tom Temin It sounds as if some of the information that is controlled and unclassified approaches national security level types of information. It seems to touch on, maybe a little overlap there.

Ron Ross Yeah, it’s hard to say. The National Archives and Records Administration, NARA, did a great job from that executive order. They redid the entire categorization of information types across the federal government. So basically our federal information falls into three buckets. It’s either classified national security information that’s by statute, it’s controlled unclassified information, that’s bucket number two. And then there’s everything else. So some of the categories, if you go on the website, the NARA registry, it’s very accessible. You can see the nuclear security information, personal health information, some of these things, the design documentation for weapons systems and space systems, that’s pretty critical information. It may not be classified yet, but it could be new technology going through that technology process, that kind of moving it from the left to the right. And eventually, it may become classified, but it’s not classified yet. However, to an adversary, they don’t care where the information is. If it’s valuable, it could be a big five defense contractor or it could be a small mom and pop two person organization. They’re going to try to find the information and compromise it, get it, because that research and development is incredibly expensive. And if they don’t have to do that same R&D, they can take that R&D that’s already been done by us. We innovate better than anybody, and they can use that to develop their own systems. And that’s a huge impact to national security and even our economic security for that matter.