Cyberwarfare is now as legitimate form of battle as is hand-to-hand combat or aerial attacks, which all employ highly skilled teams to launch assaults against other countries.

Cyberwarfare adversaries, also known as advanced persistent threat (APT), possess the tools and resources to pursue their objectives repeatedly over an extended period, adapting to defenders’ efforts to resist them.

Vulnerable data includes the sensitive but unclassified information managed by government, industry and academia in support of various federal programs. Now, a finalized publication from the National Institute of Standards and Technology (NIST) provides guidance to protect such “controlled unclassified information” (CUI) from the APT.


NIST’s Special Publication (SP) 800-172, “Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST SP 800-171,” offers a set of tools designed to counter the efforts of state-sponsored hackers and complements another NIST publication aimed at protecting CUI.

“Cyberattacks are conducted with silent weapons, and in some situations those weapons are undetectable,” said Ron Ross, a computer scientist and a NIST fellow. “Because you may not ‘feel’ the direct effects of the next hack yet, you may think it is coming someday down the road; but in reality, it’s happening right now.”

The federal government relies heavily on nonfederal service providers to help carry out a wide range of missions using information systems — a term that includes computers, but also a range of other specialized technologies such as industrial control systems and the Internet of Things. The protection of sensitive federal information that resides in nonfederal systems — such as those used by state and local governments, colleges and universities, and independent research organizations — is of paramount importance, as it can directly impact the federal government’s ability to carry out its operations. A hack of computers of a U.S. Navy contractor that ended up stealing a large amount of highly sensitive data on undersea warfare, including plans for a supersonic anti-ship missile for use on U.S. submarines, directly inspired the NIST team’s work on SP 800-172.

SP 800-172 offers additional recommendations for handling CUI in situations where information runs a higher than usual risk of exposure. CUI includes a wide variety of information types, from individuals’ names or Social Security numbers to critical defense information.

“We developed SP 800-171 in response to major cyberattacks on U.S. critical infrastructure, and its companion document SP 800-172 is designed to mitigate attacks from advanced cyber threats such as the APT,” Ross said. “Implementing the cyber safeguards in SP 800-172 will help system owners protect what state-level hackers have considered to be particularly high-value targets: sensitive information about people, technologies, innovation and intellectual property, the revelation of which could compromise our economy and national security.”

Enhanced security requirements should end up implemented in addition to those in SP 800-171, since that publication does not address the APT. The requirements in SP 800-172 apply to the components of nonfederal systems that process, store or transmit CUI or that provide protection for such components. To further narrow the scope, the requirements are applied only when the designated CUI is associated with a critical program or high-value asset — the highest priority for protection.

Developed primarily for administrators such as program managers, CIOs and system auditors, the publication addresses the protection of CUI for system components by promoting penetration-resistant architecture, damage-limiting operations, and designs to achieve cyber resiliency and survivability. Its tools, divided into 14 families, are not intended to end up implemented en masse, but selected according to the needs of the organization.

“Most likely an organization implementing this guidance will not want to use all of the enhanced security requirements we offer here,” Ross said. “The decision to select a particular set of enhanced security requirements will be based on your mission and business needs — and then guided and informed by ongoing risk assessments.”