– Unique and Effective Approach for Protection of CUI –

Security requirements, NIST SP800-171 have recently came into the spotlight and are often seen along with other series of NIST SP800.

As we thrive on a daily basis to gather information on the environment surrounding the ever-changing information security, the more we investigate, the deeper impression we get that NIST SP800-171 is unique.

In this White Paper, we’d like to have a brief discussion on what is unique about NIST SP800-171 and where the U.S. is head by providing the requirements mentioned in the heading.

【Characteristics of NIST SP800-171】

We have gained the following understanding after researching explanation information issued by DoD and NIST as well as interviews with US defense industry companies. Followings are a few items we picked up for discussion.

NIST SP800-171 is a set of “requirements” not “controls”

NIST SP800-171 focuses on “confidentiality” among the three elements of information security.

Level of compliance is “self-assessed”, and examined whether it’s as self-assessed when incidents are identified.

Now, let’s take a look one by one.

① NIST SP800-171 is a set of “requirements” not “controls”

What is aimed by DFARS 252.204-7012 and NIST SP800-171 cannot be actually understood individually; rather, it becomes clear only when they are combined. In short, the aim is that “The U.S. government (in this case, DoD) imposes on their contractors to implement measures such that the critical controlled information (CUI: Controlled Unclassified Information) provided as required to fulfill contractual agreements won’t be disclosed to anyone other than directly concerned parties”.

That is, it’s not intended to prescribe how the contractors shall take overall measures regarding information security, but it rather “prescribes as a requirement document a minimum rule to be complied on how not to disclose CUI specified by the government”. It differs from “specifications for controls for overall information security” such as NIST SP800-53 and ISO/IEC 27001 in terms of the purposes.

② NIST SP800-171 focuses on “confidentiality” among the three elements of information security.

This is also related to ①; NIST SP800-171 focuses on C, Confidentiality, among the three information security elements, CIA (Confidentiality, Integrity, Availability). It’s because the purpose of NIST SP800-171a (and DFARS252.204-7012)is “not to disclose CUI”. It defines “the minimum (base) requirements to be complied by entities who are entrusted with the government CUI” while the other purposes such as convenience for when using CUI during normal course of business are only secondarily concerned with.

The three elements are evenly described in “specifications for controls for overall information security” such as NIST SP800-53 and ISO/IEC 27001, whereas NIST SP800-171 omits those requirements other than C (Confidentiality) because they are out of the main purport of NIST SP800-171, “not to disclose CUI”.

③ Level of compliance is “self-assessed” and examined whether it’s as self-assessed when incidents are identified.

For some of you, it might be baffling the NIST SP800-171 is a self-assessment system.

Accordingly, NIST published SP800-171A (Assessment) and NIST Handbook 162(NIST MEP Cybersecurity Self-Assessment Handbook) for readers to obtain an understanding of and/or assess the method of compliance with the applicable requirements in more details. Also, NIST SP800-171 does not prescribe any rules in the first place that certain organizations give certification or make pass/fail judgements.

How it works is that when an incident occurs, “the declared state (SSP/PoAM:System Security Plan/Plan of Action and Milestones)” and the actual situation are compared for the first time and if the actual situation differs from the self-assessment, entities will be held liable by a lawsuit. In addition, since the risk of disclosure of CUI cannot be eliminated when the subjects to the requirements are only limited to entities which directly receive CUI from the U.S. government, the requirements are flowed down to all the entities receiving CUI as subcontractors.

【Where the U.S. is headed with DFARS 252.204-7012 and NIST SP800-171; and Japan’s quest】

So far, we have picked up and introduced some of the characteristics of NIST SP800-171. We consider a state satisfying NISP SP800-171 requirements as “a state where all the CUI is digitized and protected all times with an adequate level of strength (including encryption) under appropriate management of access privileges and user authentication. At the core of DFARS 252.204-7012 and NIST SP800-171, with a vision of such world, there seems to exist a movement to guide toward the realization of such world over time.

In NIST SP800-53 and ISO/IEC 27001, an implementation of improved measures by following PDCA cycle at a slow pace is required; however, enforcing the whole supply chain with entities each having different available resources to adopt a broader array of these security measures uniformly is not only unrealistic due to an excessive burden in terms of costs but also might result in measures being discursive and the core protection measures of CUI being blurred.

We aim to promote an application of CUI protection technologies such as “authentication and encryption” and to further raise awareness of information security throughout the industry including smaller businesses so that Japan can obtain a reputation as a safe country in information management.

From this standpoint, DFARS 252.204-7012 and NIST SP800-171 are considered a new level of approach to information security different from NIST SP800-53 and ISO/IEC 27001.

We couldn’t be any happier if we could be help creating a world where this movement is not considered as just an accompanying rule for contracts with the U.S. government, but taken as a clue for solving issues working together on a national basis while the change of time and innovation of technology lay down the foundation, and the confidentiality of CUI to be controlled is ensured at a high level without overreacting.

Nov.24, 2018; “Authentication Date”