Video Interview: Victoria Pillitteri from NIST on SP 800-171 Rev. 3 and more
Hi, I'm Mark Berman. I'm here at CIC 2024 in beautiful Mission Bay, San Diego. I'm lucky enough to be here with Vicky Pillitteri from NIST. Vicky has a really important role for us as a nation, which is to be one step ahead of our current cybersecurity needs by setting the standard, setting the framework that we're all going to live up to.
"Tell me a little bit about why you're here and what you do."
"Well, thank you so much for inviting me, first and foremost, to join you guys this year at CIC 2024. I work at the National Institute of Standards and Technology. Our role in this space is to develop the technical standards and guidelines for cybersecurity used across all sectors. But specific to this conference, we may or may not be responsible for this little-known technical standard called NIST, Special Publication 800-171, protecting the confidentiality of controlled, unclassified information in non-federal systems and organizations. And, yes, we do get paid by the word."
"So for somebody who may not be in the industry, what are all those words strung together mean? What kind of information and why do we need it to be protected in the first place?"
"So, basically, at the end of the day, federal information, controlled unclassified information, information is, you know, has a value and is important by law. We're required to protect it at a certain level for confidentiality. So what our technical publication does is set that technical standard for how organizations would protect the confidentiality of this kind of information."
"What are some examples of that kind of information?"
"Well, in the defense space, we have controlled technical information, controlled defense information. So think about the schemas or the blueprints for the things that DOD may or may not be building."
"Okay, so we have these blueprints. They obviously need to be protected. And what's the state of protection today?"
"When federal agencies have this information in our systems, we protect it in a certain way. And when we share this with our non-federal partners, you know, the people in our supply chain and the defense industrial base, there's that expectation that the information is still protected at that same level. Cybersecurity is a journey, not a destination, and it's ever-evolving. And I know we're all collectively doing the best that we can to really adequately protect that information. So the state of today is we're making constant improvement. Right? There's always an opportunity to do better, learn, and, you know, very good."
"So if that's the state of today. So we're in this state where we're trying to figure out exactly. We're trying to comply to a standard that you set. How is that going to change for next years or two years from now? How is it changing this 800-171?"
"The only constant in the world of cybersecurity is constant change. And from a NIST perspective, there's value in developing those standards and guidelines to try to keep pace with the change in technology, recognizing that we're not going to issue a new standard every other week or every other hour or minute as the cybersecurity threat landscape changes. But our standards are outcome-focused and really focus on those protection measures. That should be more, I don't want to say timeless, but stand the test of time a little bit better. So NIST is currently working on issuing a revision to 800-171. The current revision that's being implemented now is revision two, and we're working to issue revision three in the late spring of 2024. And then revision three one day will evolve into a revision four and so forth and so on. The threat changes. Absolutely."
"So when you are thinking about controls that are going into a new revision. So revision three, you said, what are the considerations?"
"That is a great consideration. But the scope of 171 is, again, protecting the confidentiality of these specific types of information. So not to say that not every good practice is a good cybersecurity practice, because if it's good, you should probably be doing it anyways. But for the scope of these requirements, we're really focused on the confidentiality of controlled, unclassified information."
"So when you have an idea for a new control at NIST in Bethesda. Right. So is there a chance for the companies that are affected to weigh in on the burden that might have on their company and their performance and their finances?"
"Oh, absolutely. So NIST believes in an open, transparent process. So I get to work with some really brilliant people, but there's a lot more smart people that are, you know, boots on the ground, working in the space, across industry, in the US, internationally, today, part of our NIST process is ensuring that we have periods for public comment and review, because really, in the world of cybersecurity, we need to raise all boats and work together. It's really a team sport, not to be cliche. So all of our draft publications, all of our draft controls requirements, they go through a rigorous public comment process where we adjudicate each and every comment that we receive."
"Each and every comment."
"So I'm a small guy. I have a small business, 15-20 people, and I don't get a control or it's very burdensome on me, especially me, because maybe it. Maybe it's fine for everybody else, but for me, it's very difficult. And I put in a comment, somebody reads it. Absolutely."
"And I can't promise you you're gonna get everything you want. Okay. But reasonable."
"At the end of the day, I think, there's so much value in understanding the different constraints of different organizations that have to use these guidelines or voluntarily choose to use our guidelines. There's no value in having standards if they're not being used, if they're not usable by the broader community which they're designed for. So it's not just about the standard. It's about how consumable, how usable it is. Will I be able to actually understand it and do it and live up to it? There's always opportunity for improvement. So, you know, if there's a way that we can clarify what we have in our guidelines, if there's a way that we can reframe or rephrase something, we definitely want to hear that feedback, because at the end of the day, we're building this for the user community."
"All right, so just to summarize, you're building controls. You are continually building controls 24/7 you're elevating the standard because our adversaries are elevating the attack. You're considering my opinion, even just a little company?"
"We have a voice in the process."
"Everyone has a voice in the process."
"Everyone has a voice in the process."
"And it's because you have a procedure and it's documented to make sure that we have that voice. And then ultimately what we're trying to do is protect the people who are serving in the government or serving in the military, correct?"
"Absolutely."
"All right. Thank you very much for coming here, and thanks for taking a few minutes to speak with me. Thanks, Mark."
