The National Institute of Standards and Technology is close to finalizing a new set of guidelines governing the protection of controlled unclassified information, or CUI, that will form the basis of a new acquisition regulations clause that federal contractors will be required to follow.
The public comment period for NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, closed Tuesday, and a final document is expected to be released next month. But Richard Hale, the Defense Department’s deputy chief information officer for cybersecurity, said DOD plans to use the new guidelines to rewrite the safeguarding clause contained in the Defense Acquisition Regulations System.
“It’s where we tried to write down the guidebook for doing the cybersecurity basics for government and for industry,” Hale said. “And then what we’re going to start doing in the government is point to this thing in contracts. So we’re going to say, ‘Hey, if you handle controlled unclassified information, this is what you have to do.'”
The effort to define and streamline unclassified data under the CUI moniker — formerly referred to as Sensitive But Unclassified information — has been a work in progress for several years. CUI is meant to cover unclassified data that still requires protection from public disclosure, such as technical defense information, engineering data, specifications or personally identifiable information. The National Archives and Records Administration is the government’s executive agent for CUI and released a draft rule last week for standardizing the definition and treatment of CUI across government.
There are about 150 controlled unclassified systems throughout the federal government that will be placed under the new guidelines, according to Hale.
“This idea of having some baseline that we all have to do I think is going to get stronger and stronger over time,” Hale said. “It’s much better than the list of controls that we used in our last safeguarding clause.”
Beyond the basics
For the Defense Department, “mission appropriate cybersecurity” remains the central aim of the department’s risk management framework. Officials are currently conducting a prioritization effort to determine how much and where the department invests its cybersecurity funding. Those decisions will be tracked by the Office of the Deputy Secretary of Defense, Hale said.
“We’re writing guidebooks for program managers on how the risk management framework fits into the acquisition process,” he said. Those guidebooks will cover not only government program offices and acquisition professionals but also contractors who are writing software for mission-critical weapons systems.
But on the operational front, the focus is on using big data to defeat cyber adversaries, Hale said.
“We’re trying to use rich data about bad guys to look at some of the infrastructure defenses and decide whether or not we’re spending our money in the right place,” he said. Agencies now have ample data available and the analytical tools that can tell them how their security systems are performing, and they can quickly map new attacks against that data to determine what can be blocked. “That’s a big change over how things worked even just a few years ago,” Hale said. “You actually now have bad guy capability data that you can use to make decisions about what to buy or how to structure your operation.”
According to Hale, DOD hasn’t always made good use of the data it collected on attackers. “We have ever-better data about bad guys and we have ever-better data that’s unclassified about bad guys. So this data can be very helpful in actually doing cybersecurity.” Hackers tend to get into networks in a particular way that can be profiled, he said. “They do a [domain name system] lookup in a particular way, they contact their command and control network in a particular way, they dump more malware in a particular way, they escalate privileges in a particular way and they move laterally in a particular way. So you can start to characterize all of these particular groups … and then you can kind of map your defenses against this ever-richer set of data about adversaries.”
The Defense Department analyzed all its attack data, as well as data from other organizations, and found that in almost every case, the attacker exploited a preventable security flaw. “The threat data has confirmed that even when we have a really sophisticated adversary and we may actually see very sophisticated malware, we’re not seeing attacks against sophisticated vulnerabilities,” Hale said. “People are still using the same old stuff.”