... implementing Defense Federal Acquisition Regulation Supplement (DFARS) clauses that apply to all contractors who process, store, or transmit “covered defense information.” As a result, many businesses are required to implement the NIST 800-171 security framework.
Adopting the defense-in-depth methodology requires the implementation of the 14 families of controls leveraging existing practices and infrastructure. In addition, this creates opportunities to implement advanced solutions such as privilege management and next generation firewalls.
All requirements in the NIST 800-171 are traced to NIST 800-53 and most controls require both a procedural and technical control to implement the procedure. Here are some important considerations when investigating NIST compliant controls.
Control 1: Access Control
The Access Control requirement is the most salient control in the NIST 800-171. In general, this control family specifies limiting system access to authorized users and making sure those users are only able to do specified actions based on job functions (also known as the principle of least functionality). Separation of duties through security groups and Access Control Lists (ACLs) can be applied to meet this control.
Control 2: Awareness and Training
Leadership and employees should receive security and awareness training on secure usage of the information systems. This is essential to satisfying NIST 800-171 requirements. Conducting mandatory annual security training and exercises is necessary to keep employees lucid and vigilant.
One common example of recommended training in the Defense community includes the Cyber Awareness Challenge accessible through the DISA website.
Control 3: Audit and Accountability
NIST 800-71 Audit and Accountability requirements focus specifically on ensuring that an organization’s audit generation and reporting capabilities sufficiently support proper security monitoring and management.
Control 4: Configuration Management
Change is defined as the addition, modification, or removal of configuration items. Processes and standard configurations promote systematic changes to maintain integrity over time.
Control 5: Identification and Authentication
Identification and authentication requirements ensure systems are properly identifying users and verifying their identity prior to granting any access. Multi-Factor Authentication can be a key component to meeting this control.
Control 6: Incident Response
Organizations should have operational incident-handling capabilities that include adequate preparation, detection, analysis, containment, recovery, and user response activities.
Control 7: Maintenance
System maintenance should be performed at regular intervals to protect organizational information systems from zero-day attacks and other vulnerabilities.
Control 8: Media Protection
On-premise media should be physically protected and monitored to adequately prevent loss or theft.
Control 9: Personnel Security
Verifying and validating personnel though background checks and other vetting processes are important steps to onboarding procedures.
Control 10: Physical Protection
Physical protection can be enforced with alarm systems, locks, and security cameras.
Control 11: Risk Assessment
Standard assessments are needed to identify risks related to procedures, functions, and information systems. Implementing standard controls and security scans can be used to stay abreast of system vulnerabilities.
Control 12: Security Assessment
Auditing controls, processes, and procedures should be completed to validate that the security posture meets the NIST standards. An outside assessment can also be a validation of the security framework.
Control 13: System and Communications Protection
Highly secure firewalls should guard the perimeter of your organization and provide intrusion prevention/detection capabilities. Segmented networks are another best practice for both security and performance.
Control 14: System and Information Integrity
Keeping antivirus signatures up to date while scanning for viruses and malware is an essential step in maintaining system and information integrity. Malicious websites should be filtered with access denied from corporate resources.
Let us know if we can help! Understanding the NIST compliance controls can be both challenging and daunting, but AEM can help interpret how these controls can be applied to your environment to create both a compliant and secure infrastructure.