NIST official: Revisions coming for data protection guide, will address 'advanced' cyber threats

By Rick Weber / October 19, 2018 at 10:37 AM

GAITHERSBURG, MD -- The National Institute of Standards and Technology is planning to issue a draft second revision to its guidelines for controlled unclassified information handled by the Defense Department and government contractors, in order to better address "advanced persistent threats," according to a key NIST official.

The upcoming draft revisions are based on recent assessments that information critical for national security requires "enhanced" protections, the NIST official said at a public meeting updating industry and government officials on the data requirements at NIST headquarters on Thursday.

NIST's Ron Ross said a draft revision to NIST guideline 800-171 would be issued before the end of the year for public comment. The revisions are "just in the planning stages this week" and a formal announcement will be issued soon. Ross said the enhanced requirements would be proposed for comment as an appendix to the overall document to offer additional protections beyond "basic" controls outlined in chapter three of the guidelines.

The NIST guidelines are the basis for Defense Federal Acquisition Regulation Supplement, or DFARS, for cybersecurity risks issued in 2017 and still being implemented by DOD.

Ross said the enhanced requirements will be offered for government contractors and other non-federal entities who determine they are handling "very critical information" being targeted by adversaries because of its national security implications. Ross said the upcoming appendix is based on the recognition that the basic protections of the guidelines "can't address all threats."

Revision one of NIST Special Publication 800-171 was issued in December 2016, with an update released last June. NIST officials at this week's meeting said the requirements of the document are now contained in more than a million federal contracts.

"The security requirements apply to all components of nonfederal systems and organizations that process, store, or transmit CUI, or that provide security protection for such components," according to NIST. "The requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations."