NIST Recommends Tightened DoD Contractor Security

The military today operates in an interconnected ecosystem of primes, subs, suppliers and partners where one weak cybersecurity link can be the downfall of the entire chain. Witness last October’s breach of Defense Department travel records, where an attack on a third-party vendor led to the theft of personal data of more than 30,000 employees. 

To help protect sensitive but unclassified information from cyberattack, the National Institute of Standards and Technology’s (NIST) recently released a report telling contractors how to better secure their systems. Such Controlled Unclassified Information (CUI) includes a variety of data types from Social Security and credit card numbers to more defense-centric information. 

“When CUI is part of a critical program or a high value asset — such as a weapons system — it can become a significant target for high-end, sophisticated adversaries. In recent years, these programs and assets have been subjected to an ongoing barrage of serious cyberattacks, prompting the Department of Defense to request additional guidance from NIST,” NIST said in a statement.

In particular, the NIST report targets advanced persistent threats, which are adversaries with sophisticated cyber skills that attack again and again over long periods of time. 

“We need to provide safeguards and countermeasures that can stand up to these attacks,” Ron Ross, a fellow in NIST’s Computer Security Division and one of the publication’s five authors, says in a press release. “When this happens, you need additional safeguards and countermeasures to confuse, deceive, mislead and impede the adversary. The strategies in (the report) can help you take away the adversary’s tactical advantage and protect and preserve your organization’s high value assets and critical programs, even after the adversary has penetrated your system.” 

As the travel records breach showed, DoD vendors and contractors of all types have access to or possess CUI. In many instances they provide a variety of critical business operations like billing, payroll and employee benefits, legal, call-center and help desk, data centers, cloud services, email support, data storage, and software development. 

NIST is accepting comments on the report: NIST Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, until August 2. 

The report offers recommendations in 14 categories of cybersecurity for vendors and contractors that process, store, transmit, and provide security protection for CUI using their own non-federal systems. They are: 

Access Control: Limiting system access to authorized users, users acting on behalf of authorized users, and authorized devices. Separate the duties of individuals to reduce the risk of malevolent activity by preventing security personnel administering access control functions to not also administer audit functions, for example. Employ the principle of “least privilege,” which means users and systems administrators only have access to what they need. 

Awareness and Training: Train managers, systems administrators, and users of organizational systems so they are aware of the security risks associated with their activities.

Accountability: Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.

Configuration Management: Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

ID and Authentication: Authenticate the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

Incident Response: Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.

Maintenance: Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.

Protection: Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.

Personnel: Screen individuals prior to authorizing access to organizational systems containing CUI. Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.

Physical Protection: Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals. Enforce safeguarding measures for CUI at alternate work sites, including the private residences of employees.

Risk Assessment: Assess the risk to organizational operations, assets, and individuals resulting from the operation systems used for processing, storage, or transmission of CUI.

Security Assessment: Assess the security controls in organizational systems to determine if the controls are effective in their application. Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.

Systems and Communications: Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

System and Info Integrity: Identify, report, and correct system flaws in a timely manner. Update malicious code protection mechanisms when new releases are available. Monitor organizational systems, including inbound and outbound communications traffic, todetect attacks and indicators of potential attacks.