With the holidays over and the New Year just beginning, there are a few important items security leaders must check off their to do lists. For example, complying with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 regulations, which went into effect on Dec. 31.
Any organization or contractor that holds or processes controlled unclassified information (CUI) as part of their work with the Department of Defense (DoD) must ensure that they comply with this new regulation. As most know by now, meeting the NIST 800-171 requirements is vital to the security of our nation and provides enhanced security for organizations’ valuable assets and data.
Here are the five golden rules to ensure you make the NIST 800-171 compliance grade in 2018.
Section 3.1 requires suppliers to limit information system access to authorized users, processes acting on behalf of authorized users or devices, as well as the types of transactions and functions that authorized users are permitted to execute. The flow of CUI should be controlled in accordance with approved authorizations. Vendors also need to prevent non-privileged users from executing privileged functions and audit the execution of such functions. To stay compliant, you should ensure that only personnel with the right credentials, meaning they have proof of identity or a qualification, be able to access protected email or document. Your system should maintain a complete audit trail to track all administrative actions taken. You should set up your system such that administrators can control the creation and distribution of policies that govern controlled access to protected information. When you select your platform, it’s worth noting that Data Loss Prevention (DLP) and Cloud Access Security Broker (CASB) (DLP in the cloud) currently do not provide in-use protection.
Awareness and Training
Section 3.2 of the document requires managers, systems administrators and users of organizational information systems be made aware of the security risks associated with their activities and of the applicable policies, standards and procedures related to the security of organizational information systems.To stay compliant, you need a platform that provides alerts, reports and data tracking of all protected content to record all instances that the documents are being accessed, shared, edited or stored. The system should also support the delegation of administration to maintain a separation of duties for the creation, distribution, and management of security policies.
Audit and Accountability
Section 3.3 of NIST SP 800-171 requires the creation, protection and retention of information system audit records to the extent needed to enable the monitoring, analysis, investigation and reporting of unlawful, unauthorized or inappropriate information system activity.Vendors must ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.Suppliers should use automated mechanisms to integrate and correlate audit review, analysis and reporting processes so they can investigate and respond to indications of inappropriate, suspicious, or unusual activity in a timely manner.To stay compliant, you need a system that provides administrators with an easy-to-use dashboard that offers real-time alerts, reports and data tracking on all protected content.
Configuration Management Section 3.4 requires vendors to employ the principle of least functionality by configuring the information system to provide only essential capabilities.Suppliers should also apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software — which help prevent unauthorized personnel from using screen scraping and screen sharing applications to extract information from protected content.To adhere to the regulations, select a platform in which administrators can designate rights of access of protected content by individuals or groups based on specific roles within the organization for greater security and more flexibility.
Identification and AuthenticationFinally, Section 3.5 of NIST SP 800-171, requires the ability to identify information system users, processes acting on behalf of users, or devices. Your system should be able to authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. To comply with this requirement, select a platform that allows for authentication, for example, PKI technology.While there are several different ways to meet these requirements, there is still a lot of confusion about how compliance will be assessed or what the criteria are for successfully going through an audit. However, the potential penalty is clear – companies not in compliance may be denied the ability to sell their products or services to the DoD. Following these golden rules is critical to keeping the trust of your partners, vendors, contractors and customers.
Brad Gandee is the vice president for product marketing and management at Gigatrust.