The National Institute for Standards and Technology has some new advice for contractors that handle sensitive information desirable to adversarial nation-states.
In a new special publication, NIST SP 800-172, the agency details how systems administrators should arrange networks and which security practices could provide additional protection from advanced persistent threats (APTs) — the industry term for hacking groups typically associated with foreign governments.
The new document arrives in the wake of the SolarWinds incident, in which alleged Russia-backed attackers compromised the company’s update servers to push out malware to federal agencies, major corporations and other organizations. Similar attacks large-scale compromises are only expected to rise in frequency and ferocity, leaving contractors vulnerable to unwittingly giving away important information and damaging their reputations.
Much of the advice includes practices that should already be in place for federal contractors, such as using strong passwords, multi-factor authentication and automated tracking of unauthorized users on a network. Other suggestions could be a bigger lift — especially for small businesses — such as maintaining cyber-response teams in the event of a major incident.
“Cyberattacks are conducted with silent weapons, and in some situations those weapons are undetectable,” Ron Ross, a computer scientist and a NIST fellow, said in a release from NIST. “Because you may not ‘feel’ the direct effects of the next hack yet, you may think it is coming someday down the road; but in reality, it’s happening right now.”
This special publication builds upon NIST’s SP 800-171, a set of requirements that often apply to federal contracts that deal with controlled unclassified information (CUI). Even though agencies like the Department of Defense requiring those so-called “171” controls in many contracts, the security practices have often been ignored or not fully implemented by contractors. The security self-checkup clearly didn’t work for many companies, DOD officials have said.
Exfiltrations of sensitive data from companies handling CUI led the Pentagon to launch the Cybersecurity Maturity Model Certification (CMMC) program to ensure contractors are meeting requirements through third-party verification. The new “172” document will likely show up in contracts that pertain to sensitive information that nation-states would like to get their hands on.