When it comes to data that cyber criminals are after, defense and military information rank near (if not at) the top of the list. And its not something the U.S. Department of Defense (DOD) federal government is taking lightly. Between cyber protection, support, and other teams, the DOD is on pace to have 133 teams of federal agencies dedicated specifically to cyber defense. In addition, the DOD is working with the National Institute of Standards and Technology (NIST) to implement regulations that will also make sensitive data handled by DOD and government contractors secure as well.
The specific key regulation that defense contractors, vendors, and business contractors need to comply with is NIST 800-171. To be NIST 800-17 compliant, contractors need to take protective measures in how they collect, store, or transmit certain types of sensitive data. This could be either Covered Defense Information (CDI) or Controlled Unclassified Information (CUI). Most contractors handle CUI, which includes types of data such as manuals, source codes, and engineering specifications.
How you choose to tackle NIST 800-171 compliance will depend on the nature of your business, and the kinds of CUI that you handle. But no matter what your situation is, there are certain bases that most every defense contractor needs to cover in their NIST 800-171 checklist.
Below is a summary of the 14 mandated areas that youll need to address on your NIST 800-171 checklist, from access controls and configuration management to incident response and personnel cyber security.
1. Access Controls
Access control compliance focuses simply on who has access to CUI within your system. To be NIST 800-171 compliant, you must ensure that only authorized parties have access to sensitive information of federal agencies and that no other parties are able to do things like duplicate their credentials or hack their passwords. Your access control measures should include user account management and failed login protocols. Moreover, you need to also consider increasing controls for remote access and have documented security policies of how you plan to enforce your access controls.
Many organization even apply cryptography or added email encryption for an extra layer of security. Finally, NIST recommends limiting data storage on external or portable devices or hard drives per section 3.1.21.
2. Awareness & Training
This section of NIST cybersecurity framework asks contractors the question: Are your people properly instructed on how to handle CUI, CDI, and any other sensitive information? You need to ensure that everyone from managers and IT personnel all the way down to administrative staff is familiar with the security risks associated with their roles, as well as policies and procedures that must be adhered to.
Youll need to document that youve carried out training so that each person is able to carry out their duties in a secure fashion, as well as make sure everyone knows what to do if they see a potential cyber security compliance violation in-house.
While NIST cybersecurity framework doesnt say how many trainings need to occur per year and for how long, its best that you work with your NIST compliance partner to develop a security training program that not only brings you into compliance but helps employees do their jobs in a more secure way over the long run.
3. Audit & Accountability
Next, youll need to create (and retain) system audit logs and records that will enable monitoring, analysis, investigation, and reporting of any suspicious activity within your systems.
In short, you need to be set up so that you (or any compliance auditor) can follow a trail of breadcrumbs to see exactly what took place in the event of a cyber breach. Any action within your systems needs to be clearly associated with a specific user, so that person can be held accountable.
The bottom line is that youll need to have records kept of who has authorized what information, and if that user was authorized or not. Identifying data authorization violators, both external or internal is the main crux of the NIST 800-171 audit and accountability standard.
4. Configuration Management
How are your networks and cybersecurity protocols built, and is the configuration accurately documented? How your network is configured can encompass a variety of variables and systems, from hardware to software and firmware.
When you purchase a new software system, for instance, the package normally contains a set of baseline, default security configurations. However, these default settings may (or may not) be up to NIST 800-171 security standards for contractors that handle CUI or CDI. Moreover, youre likely to alter configurations to the software as you tailor it to the specific needs of your business.
Youll want to work with a compliance partner to analyze your baseline systems configuration, monitor configuration changes over time, and take into account any user-installed software that employees might be using in relation to CUI.
5. Identification & Authentication
Here, youll need to think about what users are approved to access CUI, and how their identities are verified prior to granting access. Specifically, NIST 800-171 states that all users, processes, and devices need to be identified and authenticated. So, not only does the user need to be authorized to access, it must be through an approved, secure device.
You should consider using multifactor authentication, for example, when authenticating users who are accessing the network remotely or via their mobile devices. Other authentication measures like minimum password complexity and prohibiting password reuse fall under this section.
While youre probably already doing most of the right things in terms of identification and authentication, its still wise to conduct a NIST 800-171 audit of your security policies and processes just to make sure youre fully compliant.
6. Incident Response
If a breach or security threat does in fact occur, NIST 800-171 compliance requires that you have a concrete incident response plan. A complaint response plan should include elements of preparation, threat detection, and analysis of whats taken place.
Youll also need to outline how youll contain the threat, recover critical systems and information, and what activities specific users will need to take. You should also work with a compliance partner to periodically test your response capabilities by running periodic fire drills so that each person has experience in taking the appropriate actions.
Most importantly, you need to have established reporting guidelines, so that NIST, DOD, or any other relevant stakeholders become aware of the incident in a timely manner.
7. Maintenance
Routine maintenance of cybersecurity measures and systems is required under NIST 800-171. Therefore, you need to establish a timeline of when maintenance is set to occur, and who will be responsible. You should provide controls tools, techniques, mechanisms, and personnel used to conduct system maintenance, so that CUI remains secure in the process.
During the process of maintenance, you may choose to switch out or upgrade hardware, which must be cleansed of any CUI before being disposed of or taken off premises. You should also take caution when system maintenance is being done via remote, off-premises sessions, and secure those sessions with additional security layers such as multi-factor authentication or advanced encryption.
8. Media Protection
Technologies like CD ROM, USB and flash drives are commonly used for the added convenience and productivity benefits they provide. But under NIST 800-171, CUI contained on these devices must be handled with a certain measure of care.
Youll want to assess how your electronic and hard copy records are stored on various media, as well as making sure that any backups are securely stored. Make sure that only authorized personnel have access to these media devices or hardware.
Whether its a UBD drive or a physical paper copy, make sure that any media with CUI is clearly marked as such, so that theres zero confusion when personnel is handling it. Every portable storage device should also have a clearly designated user as well for audit and traceability purposes.
9. Physical Protection
According to NIST 800-171, you need to secure any and all CUI that exists in physical form. Ask yourself who has access to systems, equipment, and storage environments, and make sure its limited only to authorized individuals.
Youre also required to monitor and escort visitors to your facility, ensuring that they dont wander off and gain access to physical CUI. When someone does need to access physical data, maintain a physical audit log sign in sheet so that if anything does go missing, youll be able to trace who it might have been.
The majority of compliance with physical protection security standards is mostly a result of common sense measures. Just make sure your physical CUI is locked up and secured properly, and work with your compliance partner to see if any additional precautions can be taken to bolster your defenses.
10. Personnel Security
Before granting any new personnel access to CUI, make sure theyve been adequately screened and gone through a background check beforehand.
Another reality is that most organizations are quick to grant access to new employees when they come aboard, but all too often slow to revoking access when the person is terminated, quits, or gets transferred.
Revoking access is a blind spot for many contractors, but needs to be done promptly per NIST 800-171 standards. Just make sure to work with your IT and HR teams to have concrete CUI authorization processes in place not just when new people join your company, but for when they leave as well.
11. Risk Assessment
Risk and threat assessments are one of the most important aspects not just of compliance, but for the actual safety and security of your data. Are your defenses regularly being tested in simulations? How regularly are operations and individuals verified for security? This is where a compliance partner can be a valuable asset, conducting activities like penetration testing, assessment scans, and threat intelligence planning.
Youll want to simulate real-world attacks to assess your external applications, network, and mobile application vulnerabilities. And if you do spot gaps in your risk assessment testing, take steps to remediate those flaws as soon as possible.
12. Security Assessment
Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. Simply put, are your processes and procedures still adequate, or are improvements needed? Threats change from year to year, so the policy youve developed 12 months ago might need some tweaks based on external factors.
You should have periodic security review plans and procedures set in stone, so that none of your security measures become outdated. Basically, compliance with the security assessment standard requires that you consistently review your systems, have a continuous improvement plan, and quickly address any gaps when you spot them.
13. System & Communications Protection
Many DOD contractors will, at some point, have to communicate or share CUI with other authorized parties. So its no surprise that NIST 800-171 sets standards for the systems you use to transmit CUI, as well as security measures that should be taken.
CUI should be regularly monitored and controlled at key internal and external transmission points, whether it be physical or electronic data sharing. You should also work with your IT personnel and compliance partner to assess your underlying software systems architecture to ensure that data transmissions are a two way street and not accessible to potential third parties via side road subnetworks.
14. System and Information Integrity
The final standard on any comprehensive NIST 800-171 checklist is the system and information integrity standard, which covers how quickly potential threats are detected, identified, reported, and corrected.
Monitoring is a critical part to compliance in this area, as well as updating your patch availability report and malicious code protection software on a regular basis. System and information integrity is something that most DOD contractors are doing today, but you may want to work with a compliance partner to streamline certain aspects like patch management Incident Response Planning (IRP).
Conclusion
It doesn’t have to be a headache for DOD contractors to become fully NIST 800-171 compliant. With this simple checklist, you and your compliance partner will be able to tackle each mandated area effectively, efficiently, and in a timely manner. In the end, compliance shouldn’t be seen as a chore. NIST standards are there to help provide a framework that keeps your CUI safe, and mostly importantly, your company free from audits.
For more information on cyber security solutions, please call RSI Security today.