The new “Cold War” is being fought in cyberspace and nobody is safe, especially the US, who has more than 60,000 defense contractors working for them, meaning that foreign adversaries have over 60,000 targets.
This is the reason that the National Institute of Standards and Technology’s (NIST) updated its security. The new document, entitled Draft NIST Special Publication (SP) 800-171 Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, (along with the companion publication, NIST SP 800-171B), gives readers strategic means to protect high-risk Controlled Unclassified Information (CUI) for not only their highest assets, but government programs, as well. CUI can range from data as personal as Social Security Numbers to information as expansive as national defense.
Protecting this data is vitally important to national security, considering that CUI has recently been targeted, often successfully, by foreign hackers. So much so that the Department of Defense sought out assistance from NIST in helping to thwart these attacks. They are even currently requesting public comments on the document, which, according to Ron Ross, one of NIST’s authors, they hope will “help organizations protect CUI against our most advanced and persistent adversaries.”
Since in 2015, there have already been 110 security requirements with which federal contractors have had to comply. But the NIST companion document, SP 800-171B, supports CUI for companies storing high value assets. It doesn’t change anything but rather includes 32 new and enhanced requirements for additional security when battling cyber warfare.
Often, enemy hackers will hunker down and silently siphon information for years without detection. When this occurs, Ross states that companies need to have safeguards in place to “confuse, deceive, mislead and impede the adversary…” Because the breach is just the beginning of this battle.
Fortunately, SP 800-171B is only applicable to a small number of contractors; not every company will need to adhere to the stepped-up requirements. Still, it is recognized that there will still be a number of contractors who will be unable to implement the new requirements; therefore, a revised draft includes information on how to successfully utilize third party IT contractors.
Recognizing the new generation of threats is the first step. Finding a solution will greatly cut down on the impact of these hostile acts. If you need assistance evaluating your cyber vulnerabilities, please contact us for a consultation.