The federal government relies heavily on nonfederal service providers to help carry out a wide range of missions using information systems. The protection of sensitive federal information that resides in nonfederal systems — such as those used by state and local governments, colleges and universities, and independent research organizations — is of paramount importance, as it can directly impact the federal government’s ability to carry out its operations.

Vulnerable data includes the sensitive but unclassified information managed by government, industry and academia in support of various federal programs. The National Institute of Standards and Technology (NIST) has published new tools designed to counter the efforts of state-sponsored hackers.

A hack in 2018 that compromised sensitive information directly inspired the NIST team’s work on its Special Publication (SP) 800-172. It complements another NIST publication aimed at protecting “controlled unclassified information” (CUI).

Formerly numbered SP 800-171B during its draft stages, SP 800-172 offers additional recommendations for handling CUI in situations where that information runs a higher than usual risk of exposure. CUI includes a wide variety of information types, from individuals’ names or Social Security numbers to critical defense information.

The enhanced security requirements are to be implemented in addition to those in SP 800-171, since that publication is not designed to address the APT. The requirements in SP 800-172 apply to the components of nonfederal systems that process, store or transmit CUI or that provide protection for such components.

To further narrow the scope, the requirements are applied only when the designated CUI is associated with a critical program or high-value asset — the highest priority for protection.