Now a special security publication for the bulk of most of the data agencies worry about

The National Institute of Standards and Technology has established a special guide to protecting CUI. Federal Drive with Tom Temin  talked to the acting manager of...

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The federal government produces nothing so much as data, mountains of data every minute. And much of this information is in the form of controlled but unclassified information known as CUI. Now the National Institute of Standards and Technology has established a special guide to protecting CUI. Federal Drive with Tom Temin  talked to the acting manager of NIST’s security, engineering and risk management group, Vicki Pillitteri, to find out what every data owner needs to know.

Interview transcript:

Tom Temin: Ms. Pillitteri, good to have you on.

Vicki Pillitteri: Thank you so much for having me here with you today, Tom.

Tom Temin: Now we all know and love the Special Publications 800 series that have been published for many years by NIST is 800-172 Regarding CUI, a revision, or has this one been around for a while, like the rest of them?

Vicki Pillitteri: Well, 800-172 was released last year in February of 2021. So it is relatively new. And this is the first time we’ve issued a Special Publication 800-172, the enhanced security requirements for protecting controlled unclassified information.

Tom Temin: And just if you would maybe give us a sense of what people mean when they say controlled unclassified information, I mean, the unclassified we can understand but controlled?

Vicki Pillitteri: Controlled unclassified information, or as frequently called, CUI, is unclassified information that requires protection as identified in the law, regulation, or government-wide policy. So effectively, that saying that CUI is a very broad category of information that includes different types of sensitive but unclassified federal information that requires specific safeguarding,

Tom Temin: And in some sense, isn’t all government information then that way or that subject to that?

Vicki Pillitteri: Well, yes and no. So federal agencies generate, use, store, and share information that don’t meet the threshold for classified information, right? So the classification is national security or atomic energy information, but still needs some level of protection from unauthorized access and release. So protections may be required for say, privacy information, law enforcement, or even other reasons, like critical infrastructure.

Tom Temin: Alright, so now we have 172A, that is a draft. And that’s the NIST standard procedure, you put the draft out of the revisions, and then people comment on it, and then you issue it as a final. What do we need to know that is in the new draft?

Vicki Pillitteri: Well, actually, we’ve already gone final. But thank you for talking about NIST’s publication process. Public engagement is such a critical element of NIST when we develop new standards and guidelines. While I get the honor of working with some of the best and brightest within my organization, we know that there’s a lot of smart people in industry and other federal agencies and even internationally, that can contribute and improve the quality of our publications that we put out. Ultimately, our goal is to raise all boats in the world of cybersecurity, right? So actually, 172 alpha provides assessment procedures for conducting assessments of the enhanced security requirements and 800-172. We finalized this publication earlier this month, actually, in March 2022.

Tom Temin: And just define for us what it means to assess a requirement.

Vicki Pillitteri: Well, ultimately, you know, we are security folks at the end of the day, right? We trust but we need to verify, how do I know that I, or you, have implemented the enhanced security requirements? Are they operating as intended? And are they producing the desired result at the end of the day? 800-172 alpha, the alpha is for assessment. It helps organizations determine, are those enhanced security requirements in place? are they achieving the desired results? Are they getting the impact and the outcome that you intend to?

Tom Temin: We’re speaking with Vicki Pillitteri, she’s acting manager of the security engineering and risk management group at the National Institute of Standards and Technology. And does best practice require someone other than the person or the group that implemented the controls to do the assessment on them, such that you have kind of an oversight job being done while you’re also assessing whether the controls are properly in place?

Vicki Pillitteri: Ultimately, it depends, right? This guidance can be used by organizations for self-assessment. I would almost consider it you know, like a practice quiz. When you’re taking a training module, after each learning segment, you get a little test quiz before the real one for full credit at the end, right? So this guidance, 800-172 alpha, can be used internally to determine am I meeting the requirements? Did I set up my program? Am I implementing these requirements such that I’m getting the outcome as a test run before a third party or an external assessor determines the actual verdict, right? But ultimately, it comes down to how it’s being used. Organizations can obviously use any NIST guidance voluntarily. It’s all out there, already paid for, and available to anyone and everyone. Other organizations such as those in the defense industrial base may be using this because they’re being directed to through the DFARS cybersecurity clause or the CMMC, the cybersecurity maturity model certification. And it depends on the scenario. But regardless of what scenario you are in its good guidance, and it’s a good head start.

Tom Temin: Yes, you answered the question I was going to ask next. This is available and should be used by industry, especially pursuant to CMMC. As that program haltingly, and stumblingly rolls out, that’s my assessment, not yours, of it. But eventually industry should adopt these.

Vicki Pillitteri: Yes, one key stakeholder group for this suite of publications, 800-171, 800-171 alpha, 800-172, and 800-172 alpha are those in the DIB and those that are using the CMMC. One of the major changes in the streamlined model introduced by CMMC 2.0 is the direct alignment with both 800-171 the CUI security requirements, and 800-172, the enhanced security requirements. So specifically, in CMMC 2.0, the level three assessment includes selected enhanced security requirements from 172.

Tom Temin: Okay, well, keep a score of that with a whiteboard, I guess, if people are listening, and the granddaddy of these all, which is 800-53. Is this a subset of the controls in there? Or is it a subset of say, what might apply to classified information, but you don’t need to do everything you need to do for classified?

Vicki Pillitteri: Multi-part question, multi-part answer. So yes, it is derived from 853, similar to the security requirements and 171. They’re tailored from the 853 security controls. And I know that we’re playing numbers soup with the numbers of our publications. So 172 identifies those security controls from 853 that are pursued focused to cyber resiliency, how do we support cyber resiliency, in addition to protecting the CUI from unauthorized disclosure, so protecting the confidentiality of this CUI, it’s also focused on protecting the integrity and availability of CUI in critical programs and high value assets. So really, the scope of 172 was pared down to really focus on the most critical systems and programs with CUI it’s not applicable to everything. These enhanced security requirements were designed to respond to APTs and supplement the basic and derived security requirements in Special Publication 800-171. So this is almost like icing on the cake.

Tom Temin: And who should be familiar with these controls, and the enhanced controls and the rest of it? It’s not just the Chief Information Security Officer channel in an agency? Should program people and data officers and so on also, at least be familiar with what is needed to do to protect the information the use or generate?

Vicki Pillitteri: Absolutely. Anyone that has a role in every, well, actually everyone has a role in information security, right? Any entity that’s using the enhanced security requirements, or is subject to the enhanced security requirements in Special Publication 172, can also benefit from leveraging the assessment procedures in 172 alpha. As I mentioned before, you know, one key stakeholder group or all the organizations in the defense industrial base that are subjected to DOD cybersecurity maturity model certification, with their updated alignment to NIST guidance, you’re able to see this guidance and use that as a starting point within your organization to make sure that your security requirements are in place, operating as intended and achieving the desired results.

Tom Temin: All right, 172a has been finalized just last month, March. And so we urge everyone to curl up with it one evening and get familiar. Vicky Pillitteri is acting manager of the security engineering and risk management group at NIST. Thanks so much for joining me.

Vicki Pillitteri: Thank you so much, Tom.

 

 

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Pentagon’s new Cybersecurity Maturity Model Certification is out. Now what?

    Read more
    Amelia Brust/Federal News NetworkFederal Acquisition, GSA

    DHS chief information security officer wary of Pentagon’s changes to CMMC

    Read more
    Getty Images/iStockphoto/nantonov

    CISA’s still overcoming challenges 5 years after Cybersecurity Information Sharing Act became law

    Read more