Protecting the Nation’s Most Sensitive Information and 800-171 Update – Ron Ross – CSP #131
NIST recently released the initial draft of a major update to its cybersecurity guidelines for protecting sensitive unclassified information. The update is intended to help federal agencies and government contractors implement cybersecurity requirements more consistently. The revised draft guidelines, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST Special Publication [SP] 800-171 Revision 3), will be of particular interest to the many thousands of businesses that contract with the federal government. Federal rules that govern the protection of controlled unclassified information (CUI), which includes such sensitive data as health information, critical energy infrastructure information and intellectual property, reference the SP 800-171 security requirements. Systems that store CUI often support government programs containing critical assets, such as design specifications for weapons systems, communications systems, and space systems. The changes are intended in part to help these businesses better understand how to implement the specific cybersecurity safeguards provided in a closely related NIST publication, SP 800-53 Rev. 5. The authors have aligned the language of the two publications, so that businesses can more readily apply SP 800-53’s catalog of technical tools, or “controls,” to achieve SP 800-171’s cybersecurity outcomes. The update is designed to help maintain consistent defenses against high-level threats to information security. Many of the newly added requirements specifically address threats to CUI, which recently has been a target of state-level espionage. NIST wants to implement and maintain state-of-the-practice defenses because the threat space of hostile adversaries is changing constantly. Protecting CUI is critical to the national and economic security interests of the United States.
This segment is sponsored by Google. Visit https://securityweekly.com/chrome to learn more about them!
Ron Ross is a Fellow at the National Institute of Standards and Technology. His focus areas include computer security, systems security engineering, risk management, security assurance, and trustworthy systems. Dr. Ross leads the NIST Systems Security Engineering Project which includes the development of standards and guidelines for the federal government, contractors, and United States critical infrastructure. He also supports the U.S. State Department in the international outreach program for cybersecurity and critical infrastructure protection. Dr. Ross previously served as the Task Leader for the Joint Task Force, an interagency group that includes the Department of Defense, Office of the Director National Intelligence, U.S. Intelligence Community, and the Committee on National Security Systems, with responsibility for developing a Unified Information Security Framework for the federal government. He also served as the project leader for the Federal Information Security Modernization Act (FISMA) Implementation Project. Dr. Ross has authored or coauthored many publications on risk management, cybersecurity, systems security engineering, and cyber resiliency including SP 800-37 (Risk Management Framework), SP 800-53 (Security and Privacy Controls), SP 800-171 (Protecting CUI), and SP 800-160 (Systems Security Engineering and Resilient Systems). He received a Bachelor of Science degree in Engineering from the United States Military Academy at West Point and holds both Masters and Ph.D. degrees in Computer Science from the United States Naval Postgraduate School specializing in artificial intelligence and robotics.
