NIST SP 800-172 and future of US gov supply chain security
By Phil Lewis | Date published: 17 May 2021
In February 2021, the National Institute of Standards and Technology (NIST) released its Special Publication NIST 800-172. Regarded as a supplement to NIST SP 800-171, which applies to federal contractors that handle Controlled Unclassified Information (CUI) on their networks, NIST SP 800-172 has been introduced to help organizations protect sensitive government information from the advanced persistent threats (APTs). With 35 enhanced requirements, its mission is to protect the confidentiality, integrity, and availability of CUI in non-federal systems and organizations associated with critical government programs or high-value federal assets. As organizations and suppliers adapt to this new requirement and work to achieve NIST 800-172 compliance, Phil Lewis, Titania CEO, explains what this means for the future of the US government supply chain security.
NIST SP 800-172’s introduction is timely following the recent high-profile cyber breaches in 2020 that used networks of the federal supply chain as the ‘on ramp’ to commence their attacks. Executed by state-sponsored attackers, these breaches impacted at least six US federal agencies, including the departments of Energy, Commerce, Treasury, and State. The full scope of the cyber-attack is still yet to be understood as the breach was stealthy, blending in with the data flowing through government and corporate networks, and lasted for numerous months. Yet these attacks demonstrated how the supply chain has become the soft underbelly to access, compromise, and steal sensitive government data.
NIST SP 800-172 recognizes this reality and despite contractors implementing best protection measures, APTs may still find ways to breach primary boundary defenses and deploy malicious code within critical networks. So, SP 800-172’s enhanced cybersecurity standards are designed to provide the foundation for a multi-dimensional, defense-in-depth protection strategy that makes contractors more resilient against these attacks and makes it more difficult for sophisticated attacks to proliferate.
However, for these controls to effectively safeguard networks and organizations, consistent compliance is essential. Indeed, the Department of Defense (DoD) recently introduced new NIST SP 800-171 compliance reporting requirements for the defense industrial base until CMMC is fully implemented in 2025 by changing to a “trust, but verify model”, where DoD has the right to audit a contractor's SP 800-171 compliance. In fact, CMMC takes these compliance requirements further by requiring defense contractors to be assessed by a third-party auditor and certified to the appropriate cyber maturity level by the CMMC Advisory Board before contract award. Therefore, verified compliance is increasingly a means the US government is embracing to enhance supply chain security, and while it is understood that the federal standards in place at the time when recent attacks commenced may not have prevented such advanced attacks, NIST SP 800-172’s introduction is intended to make it harder even for sophisticated attackers and, in doing so, making the federal supply chain more resilient.
The US federal government relies upon – and will continue to rely on – its supply chain and non-federal service providers to undertake a range of responsibilities. However, the 2020 breaches highlighted there is a critical need to improve and enhance cybersecurity, cyber resilience, and the overall security of the supply chain for the United States Department of Defense. To quote Dr. Ron Ross of NIST, “Cyberattacks are conducted with silent weapons, and in some situations those weapons are undetectable. Because you may not ‘feel’ the direct effects of the next hack yet, you may think it is coming someday down the road; but in reality, it’s happening right now.”
Therefore, how can the roles of cybersecurity standards such as NIST SP 800-171 and the recently introduced SP 800-172, together with CMMC, better enable government contractors to achieve their cybersecurity goals? This was recently the topic of discussion for Titania’s webinar with cybersecurity experts Dr. Ron Ross and John Weiler of the CMMC CoE. In case you missed it, you can watch the full session on demand. Register here today >>>>
For more discussion on this watch our on-demand panel discussion on the importance of cybersecurity standards in advancing supply chain risk management.
- Dr. Ron Ross, NIST fellow, and principal architect of the NIST Risk Management Framework
- John Weiler, Co-Founder, IT Acquisition Advisory Council, SCRM CoE, and Information Technology Management, Solution Engineering and Architecture expert
- Phil Lewis, CEO of Titania
- Matt Malarkey, Co-chair of the CMMC CoE Supply Chain Working Group
These attacks demonstrated how the supply chain has become the soft underbelly to access, compromise, and steal sensitive government data. NIST SP 800-172 recognizes this reality and, despite contractors implementing best protection measures, APTs may still find ways to breach primary boundary defenses and deploy malicious code within critical networks.
So, SP 800-172’s enhanced cybersecurity standards are designed to provide the foundation for a multi-dimensional, defense-in-depth protection strategy.