A Q&A with Steve Stransky of Thompson Hine LLP
The National Institute of Standards and Technology (NIST), Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” is one of the most comprehensive and significant information security guidelines and standards available.
We spoke to Steve Stransky of Thompson Hine LLP to better understand NIST’s proposal to update SP 800-171, especially with respect to its incident response framework. Thompson Hine is a NetDiligence Breach Coach® and is dedicated to assisting organizations in responding to data security incidents and complying with data breach notification laws.
Can you provide an overview of SP 800-171? Why is it important?
Given the numerous partnerships between the U.S. government and the private sector, federal agencies are often disclosing certain types of sensitive (but yet unclassified) information to local companies and businesses. This means that private sector organizations are often accessing or storing this “controlled unclassified information“ (or CUI) within their own private networks, systems, and devices (which the U.S. government does not control). Accordingly, NIST published SP 800-171 to help federal agencies regulate how private sector organizations store and transmit CUI in and from their IT environments. In other words, SP 800-171 sets forth a comprehensive set of technical, physical, and administrative security controls designed for private sector businesses to implement and maintain to protect the CUI in their possession.
Which organizations are required to adopt SP 800-171?
Currently, there are a limited number of federal regulations that require organizations to maintain a security program in compliance with SP 800-171. For instance, since January 1, 2018, certain defense contractors have been required to comply with SP 800-171, and this compliance has traditionally been satisfied through self-assessments/attestations. However, the U.S. Defense Department is in the process of implementing changes to these requirements and mandating that certain defense contractors receive third-party compliance certifications. You have to remember that there are hundreds of thousands of organizations that are considered defense contractors or subcontractors or who are otherwise involved in this supply chain that can be impacted by the requirement to comply with SP 800-171.
Does this mean SP 800-171 only applies to defense contractors?
Not necessarily. Given its comprehensive nature and ease of use, many organizations voluntarily use SP 800-171 as the authority source for designing their own security programs to safeguard personal data and proprietary business information in their custody and control.
Also, several U.S. states have enacted laws requiring organizations to implement technical, physical, and administrative security controls to protect sensitive personal data in their custody and control, and organizations that fully adopt SP 800-171 almost certainly satisfy these legal requirements.
In addition, a few U.S. states (e.g., Ohio, Utah) have created “safe harbor” statutes that provide some legal immunity to organizations that comply with certain information security standards but are nevertheless still impacted by a data breach. These laws specifically identify SP 800-171 as such a standard, which serves as an important incentive for businesses to adopt this NIST security framework.
How does SP 800-171 address security controls? How are they being updated by NIST?
SP 800-171 sets forth 110 technical, physical, and administrative security measures designed to protect the confidentiality, integrity, and availability of CUI. These measures are listed within one of the following 14 “families” of controls: Access Control; Awareness and Training; Audit and Accountability; Configuration Management; Identification and Authentication; Incident Response; Maintenance; Media Protection; Personnel Security; Physical Protection; Risk Assessment; Security Assessment; System and Communications Protection; and System and Information.
On May 10, 2023, NIST released its proposal to update the information security controls set forth in SP 800-171. According to NIST, it updated SP 800-171 in order to account for the evolution of information security threats and availability of new risk mitigation solutions and tools. The proposed changes focus, among other areas, on aligning SP 800-171’s security controls with other NIST publications applicable to the federal government (i.e., NIST SP 800-53) and describing in more granularity their security controls to remove ambiguity and improve implementation effectiveness.
How does SP 800-171 specifically address incident response?
Although not its core focus, the proposed updates to SP 800-171 address incident response (IR), which is especially important given the current cybersecurity threat landscape. In particular, the proposed changes seek to clarify the following IR plans and controls that organizations should implement:
- Develop an IR plan that provides a roadmap for implementing an IR capability that includes preparation, detection and analysis, containment, eradication, and recovery.
- Update an IR plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing.
- Track and document system security incidents and report incidents to appropriate officials.
- Provide IR support resources that offer assistance to affected users.
- Test the effectiveness of the IR capability.
- Provide IR training and review and update IR training content at defined intervals.
NIST’s proposal reiterates the importance of using checklists, tabletop exercises, and other simulations to test an IR plan. It also adds new guidance concerning how organizations can use qualitative and quantitative data aids to determine the effectiveness of IR processes.
How does Breach Plan Connect® align with SP 800-171?
An important part of any information security program, including SP 800-171, is to develop and maintain a practical and reasonable IR plan, and NetDiligence’s Breach Plan Connect® can help organizations satisfy this requirement. By assisting companies in establishing and documenting clear action steps, roles, and responsibilities in the event of a cybersecurity event, Breach Plan Connect can help them effectively and efficiently respond to ransomware attacks, business email compromises, and other cybersecurity events.
In fact, NIST’s proposal identifies new factors that organizations should consider when determining whether they need to update their IR plans and training content, including changes in applicable laws and regulations. This is especially important as federal agencies and U.S. state legislatures are continuously amending information security laws and data breach reporting timelines and requirements. Breach Plan Connect is an easy-to-use solution that allows businesses to quickly update their IR plans to address changing legal requirements and other real-world experiences.