Two large defense groups are urging NIST to consider how to align its four-part publication series on controlled unclassified information to other frameworks, while also suggesting potential changes related to the Pentagon's Cybersecurity Maturity Model Certification program.
NIST is in the early stages of updating its Special Publication 800-171 series that offers a roadmap for how industry should protect sensitive federal data on their private networks. It is widely used across the federal government and is particularly important to level two of the CMMC program.
The agency issued a pre-draft call for comments in July with specific questions to inform future work.
The Aerospace Industries Association wants “[f]lexible implementation of NIST SP 800-171 controls to accommodate all types of technologies,” according to the group’s comments to NIST submitted on Sept. 16.
The defense association said, “For some federal agencies, implementation of the 800-171 means application of all 110 controls is mandatory, but not always feasible because some controls may be deallocated with a sufficient business justification. Additionally, to address their individual risks, there is a need for flexibility and risk assessment in determining what is needed for adequate security for different contractors, in different sectors, falling under different tiers in the" defense industrial base.
AIA proposes “having a control tailoring process or level of effort (LOE) decision tree for performing a cost-benefit analysis and determining the applicability of controls and requirements within a private industry organization.”
“In addition,” AIA said, “having a process that identifies which controls are ‘most important’ will help with the control selection process and determining alternative solutions for controls that have been deallocated.”
The National Defense Industrial Association asks for updates to elaborate on cloud architectures and zero trust. The group emphasizes how “revised security requirements should further instruct how the requirements [in 800-171] can be met in conjunction with cloud solutions, particularly in context of federal industry trends to adopt a cloud-first, zero-trust strategy.”
NDIA’s comments filed on Sept. 16 provide a detailed analysis on Operational Technology considerations.
“NDIA recommends that NIST SP 800-171 be revised to clarify which security controls are not well suited to OT, and to provide references to other NIST publications (e.g., NIST SP 800-182) that may be used to provide compensating controls for addressing CUI protection in OT,” the association wrote.
On CMMC, NDIA has several requests to help defense contractors understand to how to implement SP 800-171 and also account for upcoming rules from the Defense Department to update CMMC. The 110 controls in SP 800-171 are closely aligned with CMMC level two.
“The current version of NIST SP 800-171 lacks clear scoping guidance," NDIA said. "CMMC 2.0 has attempted to fill this void, yet the guidance still lacks clarity. Providing scoping guidance in NIST SP 800-171 would allow for better industry inclusion in the definition of the guidance.”
Further, NDIA said, “Inclusion of scoping guidance in NIST SP 800-171 would allow for the creation of a control applicability matrix to differing asset types. Scoping guidance should include information on which controls could align with each asset type. CUI assets and Security Protection Assets will not always be able to implement the same controls, nor should they. A Security Protection Asset that doesn’t process CUI should have a very different control set applied.”
Another suggestion is “removing elements and discussions that are duplicative of the other CMMC documentation and to just refer to the authoritative source for additional information and discussion,” NDIA said. “A quick sentence is appropriate but there are instances where too detailed of a discussion occurs in the [CMMC Assessment Process guide]. This will help minimize any discrepancies between documents.”
More guidance on security protections for external service providers including managed service providers and managed security service providers would be helpful, NDIA said. It notes that MSPs and MSSPs are different from cloud service providers and more detail is needed to understand equivalency FedRAMP Moderate and a CMMC level two certification.
AIA emphasizes how it is important to have an “adjudication process for tracking changes to CUI publications that are impacted by new and updated laws and regulations.” This includes the original clause in defense acquisition rules that added 800-171 as a requirement for DOD contracts, the CMMC interim final rule and ongoing work to change CUI rules across government through the National Archives and Records Administration.
The process would maximize “participation and reduce the potential for deviations across current and planned domestic and international cybersecurity frameworks and standards,” according to AIA.
Fifty-six entities responded to NIST’s pre-draft for comments to update the 800-171 series including defense, tech and telecom associations, federal agencies, tech companies, academic institutions, and CMMC stakeholders.