Proposed NIST Updates and Data Incident Response Planning
Published by The Lawfare Institute
in Cooperation With
There are several ways in which an organization may discover that it has been the victim of a cyberattack or that an unauthorized third party has gained a foothold within its information technology (IT) environment. Perhaps most commonly, an organization’s own endpoint detection, network monitoring, and other technical security controls identify and quarantine malicious cyber activity and allow for an investigation into the nature and scope of the event. In some rare occasions, an organization may be notified of a potential cybersecurity incident from a regulatory authority or law enforcement agency that has been monitoring and gathering intelligence on a threat actor’s activities and has identified a potential, or possibly ongoing, cyber operation against the business. In the most dire of circumstances, an organization may not realize that it has been subject to a cyberattack until after its network has been encrypted or it receives an extortion demand from a threat actor.
For several years, the federal government has been engaging with private-sector organizations, especially critical infrastructure, to mitigate the economic, national security, health, and public safety damage that can occur as a result of a cyberattack. This engagement has evolved from building private-public information sharing programs, to issuing formal guidance to corporate executives and business leaders on developing information security programs, to mandating cybersecurity requirements for government agencies and contractors.
Given the many information sharing and business partnerships between the federal government and the private sector, there is a heightened concern with respect to how private businesses retain sensitive government data within their own networks and systems. Accordingly, in order to assist the federal government in standardizing the types of security controls that the private sector should implement to protect such sensitive data within their own custody and control, the National Institute of Standards and Technology (NIST) published Special Publication (SP) 800-171, which sets forth a series of technical, physical, and administrative security controls designed to protect sensitive data in nonfederal government information technology environments. However, given its comprehensive nature and flexible approach to information security, NIST SP 800-171 has become a key cybersecurity standard for all types of business and is no longer limited to government contractors. Accordingly, organizations across a variety of business sectors rely on it to create their information security programs and data breach response plans.
Recently, NIST released its proposal to update the information security controls set forth in SP 800-171, and the general public has until July 14, 2023, to submit comments and feedback on the proposed changes. Importantly, NIST’s proposal includes amendments to the framework for how organizations respond to data security events, which are especially timely for businesses as the cyber threat landscape is becoming increasingly dangerous and malicious cyberattacks are again on the rise.
SP 800-171 Amid Evolving Cyber Threats
SP 800-171 was first published in 2015 and provides a detailed list of security controls that the U.S. government recommends private-sector companies implement and maintain to protect certain types of government-derived information and data (often called controlled unclassified information or CUI) in their possession. These measures address technical security (configuration management, identification and authentication, systems and communication protection), physical security (access controls, environmental safety), and administrative security (awareness, training, personnel security).
Federal regulations have incorporated SP 800-171’s security requirements into government procurement processes, which makes this NIST framework applicable to the hundreds of thousands of businesses that contract with the federal government and others in the supply chain.
Yet SP 800-171 is not strictly limited to government contractors, and it has become a leading security standard for organizations across all business sectors. In fact, U.S. state legislatures (for example, in Ohio and Utah) have created safe harbor statutes that provide certain types of legal immunity for organizations that implement data security programs and are nonetheless impacted by a data breach. These laws specifically identify SP 800-171 as one such security program, which serves as an important incentive for businesses to adopt this NIST security framework.
The proposal to update SP 800-171 coincides with an evolution within the cybersecurity ecosystem. In particular, after a brief downturn in cyberattacks against private-sector businesses, schools, and other organizations in 2022, cybercrime has once again been on the rise. According to IT Governance, there were 104 publicly disclosed security incidents that accounted for 277,618,767 leaked records in January 2023. This amounted to more incidents than in any calendar month in 2022 and is among the most incidents ever recorded by the organization.
Similarly, Coveware found “a material increase in [cyber]attacks on large enterprises that achieved levels of impact” not observed since May 2021. Although there has been a decrease in the average costs of ransom paid by organizations, there has been, according to Coveware, a “measurable increase in the number of large public companies that sustained catastrophic levels of encryption and subsequent business interruption” resulting from the rise of cyberattacks in recent months.
These assessments from private security consultants mirror the federal government’s view on potential incoming threats. In February 2023, the Office of the Director of National Intelligence (ODNI) released its annual report of worldwide threats to the national security of the United States, which focused extensively on the cybersecurity threats presented to the U.S. government and private-sector businesses, especially from malicious activity initiated by China, Russia, Iran, North Korea, and other non-state actors and criminal groups.
The ODNI report noted that “China probably currently represents the broadest, most active, and persistent cyber espionage threat to U.S. Government and private-sector networks” and “almost certainly is capable of launching cyberattacks that could disrupt critical infrastructure services within the United States, including against oil and gas pipelines, and rail systems.” This assessment reflects an important precursor to the government’s alert on Volt Typhoon, a Chinese state-sponsored cyber actor that generally focuses on espionage and information gathering. More specifically, in May 2023, the U.S. government, in conjunction with its Five Eyes intelligence alliance partners (Australia, Canada, New Zealand, and the United Kingdom), published an advisory that provided “new insights” into the novel tactics, techniques, and procedures that Volt Typhoon is using to gain access to critical infrastructure networks and set forth measures that organizations should take to mitigate its risk.
In addition, the advisory urged private-sector organizations to “strengthen their defenses and reduce [the] threat of compromise” from these sophisticated and well-funded cyber actors. As noted above, many organizations rely on SP 800-171 as the basis for building and maintaining a comprehensive cybersecurity program to protect and defend against cyber threats attributable to China and other malicious actors.
Proposed Updates to SP 800-171
The proposed changes to SP 800-171 focus on, among other areas, aligning the security controls therein with other NIST guidelines applicable to the federal government and describing these controls with more granularity to remove ambiguity and improve implementation effectiveness. Although not a core focus, the proposed SP 800-171 updates address data security incident response (IR), which is important for businesses to understand given the current cybersecurity threat landscape. In particular, the proposed changes seek to clarify the IR plans and controls that organizations should implement and specifically delineate the following measurable parameters:
- Develop an IR plan that provides a road map for implementing an incident response capability that includes preparation, detection and analysis, containment, eradication, and recovery.
- Update an IR plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing.
- Track and document system security incidents and report incidents to appropriate officials.
- Provide IR support resources that offer assistance to affected users.
- Test the effectiveness of the IR capability.
- Provide IR training and review and update IR training content at defined intervals.
These updates provide clarity for how organizations should address their IR planning, especially in the areas of testing and training. For instance, the NIST proposal reiterates the importance of using checklists, tabletop exercises, and other simulations to test an IR plan. It also adds new guidance concerning how organizations can use qualitative and quantitative data aids in determining the effectiveness of IR processes. This framework is particularly important for multinational companies and other larger organizations that have key IT resources spread across various jurisdictions and time zones. They should test and measure the speed with which they can launch their IR teams and deploy digital forensic and other IR security tools, and should seek to identify ways to improve the efficiency and effectiveness of their recovery.
Some studies have shown that 95 percent of cybersecurity issues can be traced to human error. Accordingly, the NIST proposal modifies the framework for how organizations approach developing and implementing narrowly tailored IR training programs, with a particular emphasis on employee cybersecurity awareness. Such training can vary from requiring employees to know how to recognize and report a cybersecurity incident to specific training on forensics, data collection techniques, system recovery, and system restoration for employees deeply integrated into an organization’s technical cybersecurity response efforts. The proposal to amend SP 800-171 to create new categories around IR training reflects the importance of the human (and not technical) elements associated with responding to a cyberattack. In turn, organizations should closely review NIST’s approach to this issue and ensure that their employees are properly trained to identify and respond to malicious cyber activity.
The NIST proposal identifies new factors that organizations should consider when determining whether they need to ramp up their IR plan and training content, including experience from real-world attacks, audits, or assessments. In addition, these factors emphasize the need for businesses to amend their IR plans to align to changes in legal cyber incident reporting obligations and recognize that both federal agencies and U.S. state legislatures are continuously updating their information security laws and data breach reporting timelines and requirements.