Business functions and regulatory compliance don’t always go hand-in-hand, even for federal government entities and contractors. However, the pressure to comply has become real as government contracts and prime contractor agreements are starting to include NIST 800-171 compliance as a standard.
In a previous blog post, we outlined three major areas of focus to comply with NIST 800-171: protect your content, know your users, and track everything. This post will take a deeper dive into protecting your content, with the goal of demonstrating how you probably have a lot of the security practices in place already.
When talking about system protection, I like to imagine a house from construction to move-in. We’ll work through the families of 800-171 controls in the same manner, and not in the order they are listed in the regulation.
1. System and Communications Protection
Before you can build a house you must have roads, sewers, and electricity in place. The System and Communications Protection control family focuses on all the external infrastructure connections that will support the functions of your information system. To bring this infrastructure to “code” for NIST 800-171, you must encrypt content in transit, and at rest, using FIPS validated encryption. (See validated algorithms here).
Most likely you are already using one of these cryptographic methods to secure inter-system communication. This requirement is so important that it repeats itself throughout several of the controls. After you’ve created the infrastructure, this section focuses on controlling inter-system communication by requiring a set time period for “terminating sessions.” By requiring systems to re-authenticate you reduce the risk of data leakage.
2. Access Control
When you design a house, you must decide where the doors and windows will be. If security is a top requirement, you must consider how to control access, and who gets the keys. When protecting Covered Defense Information (CDI) or Covered Technical Information (CTI) information you have both internal and external processes. The Access Control family focuses on separating the access of standard users vs. administrators within your network, and ensuring that these accounts have “least privilege.” This has been a standard for many years, so it should only require that you document your processes.
Additionally this control family requires appropriate privacy notices to users entering the system. It limits both the number of logon attempts and the time a user can be connected within a session. Finally, you must encrypt your communications with the outside world, whether via internet, Wi-Fi, or on a wireless device.
3. Physical Protection
Once you finish building, you’ll need to protect your new home. A complete security system logs when doors open and close, alerts you when motion sensors are triggered, and has security cameras for additional monitoring. Similarly, the Physical Protection control family tracks visitors, restricts physical access to sensitive areas, and monitors all community space. Yes, servers do exist, so it’s recommended that you have a method to track access to their data center, racks, and the servers themselves. Digital keycards, video cameras, and controlled access to each section of the facility are highly recommended.
4. Media Protection
Even with your doors locked and security system running, you should still keep valuables and important documents in a safe. Similarly, NIST 800-171 recognizes that not all content in your system is created equal. The Media Protection control family requires that CDI is marked at the document level, and if it is stored on any external media. Media includes both physical servers that need to be protected as well as printed materials, and the controls cover how they’re stored and destroyed when no longer needed.
Encryption of CDI content is reinforced on digital transport methods, CD/DVD to thumb drive, and within back-up systems. Another key concern is the ability to use removable devices to download and store CDI data. Turning off all USB ports on laptops might solve that issue, but users should also be trained not to transport CDI on external devices.
5. Configuration Management
Now that your house is built and secure, let’s talk about decorating. How do you decide where to put your furniture and decorations? The Configuration Management control family is focused on the detailed software level. It covers the processes and procedures you take to make sure logical security is in place. It again reaffirms access restrictions from the Access Control family.
Do you restrict which software is installed on servers and/or on staff’s laptops? Document how you make sure new software does not affect security and stability of your information system.
6. System & Information Integrity
When you have a new home, you want to fill it with safe, high-quality materials. This is similar to the System and Information Integrity control family, which focuses squarely on your information system, and even more specifically on the code within it. You should monitor, identify, and take action if you find flaws in the system, or malicious code from outside parties.
What process do you have in place for responding to these errors? If you have one, formalize it. That gets you one step closer to fulfilling the NIST 800-171 System Security Plan (SSP).
Your house, or information system, is no good without constant upkeep. Follow best practices to make sure the hardware and software supporting your information system is in good shape. Make sure you know who is working on your system and what tools (physical or digital) they’re using when performing maintenance. Make sure your processes are in place for internal and external personnel to keep the system at its best.
These seven control families within NIST 800-171 bring you closer to protecting your content. They comprise a holistic view of your digital and physical infrastructure. This supports your information system and documents the processes that maintain the security of this system. And that’s how you start to comply with the new standards.
Ready for more information? Senior Product Manager Adam Levithan also will be hosting a webinar on “Three Steps to NIST 800-171 Compliance.” Register now for the September 14, 2017 event.