Over the past few years, there has been much attention paid in the technology security trade press to the need for companies to become “NIST SP 800-171 Compliant.” Much of this has focused on the need for compliance to be achieved by the end of December 2017. However, with the deadline now 6 months behind us, many organizations have not yet reached this goal. For those that work with government agencies, this puts them at risk of losing their contracts. Clearly, the time is now for enterprises to “get right” with the 800-171 standard. But what does this mean, and how does one go about it? Genians can help.
What is NIST and “NIST SP 800-171”?
“NIST” refers to “The National Institute of Standards and Technology.” It is a measurement standards laboratory, a non-regulatory agency of the U.S. Department of Commerce. Its official mission is to promote industrial competitiveness and innovation.
As part of this mission, NIST develops various forms of guidance and standards for industry to follow. In recent years, given the increasing importance of achieving and maintaining effective defense mechanisms against growing cybersecurity threats, NIST has published several frameworks concerned with improving data security controls. NIST 800-53, for example, provides guidance for U.S. Federal agencies on how to secure their IT environments. NIST’s “Cybersecurity Framework (CSF)” offers a generalized set of recommendations describing approaches to addressing cybersecurity risk that any organization should consider undertaking. Its prescriptions are highly useful, but completely voluntary.
NIST SP 800-171, a subset of NIST 800-53, applies specifically to any enterprise that works directly as a contractor for the U.S. government, or which handles sensitive government data – such as research universities and various third-party organizations that may serve as a subcontractor on a government project. Its goal is to protect the confidentiality of “Controlled Unclassified Information (CUI)” in non-federal systems and organizations. The 800-171 specification was created in 2015 by the Department of Defense with a compliance deadline of December 31, 2017. It was further updated in June 2018 to provide additional references and definitions for the various CUI components it addresses. Failure to meet and be able to demonstrate compliance with 800-171 could result in the loss of government contracts.
Taken together, these three major NIST frameworks seek to promote a more effective, structured, and reliable approach to managing cybersecurity risk. They attempt to help organizations establish the kinds of internal controls necessary to be able to successfully identify comprehensively one’s infrastructure and data assets that need protection and then detect and respond to threats even before they are executed. NIST also provides guidance on how best to respond and recover effectively in the event of a cyber breach.
The federal government has indicated that it would begin auditing organizations for 800-171 compliance in 2018. Recognizing that many may need help in achieving this new compliance standard, NIST just last month released “Special Publication (SP) 800-171A, Assessing Security Requirements for Controlled Unclassified Information (CUI).” As NIST noted at the time, “this publication is intended to help organizations develop assessment plans and conduct efficient, effective, and cost-effective assessments of the CUI security requirements defined in SP 800-171.”
How to Become 800-171 Compliant?
If your organization is not yet 800-171 compliant, don’t despair! The journey toward compliance may appear at first to be somewhat arduous, but it is really a matter of addressing a number of very straightforward, common-sense principles. Indeed, most of the matters addressed are things you should frankly already be doing. What 800-171 does is codify them.
The first order of business, clearly, is to become familiar with the framework itself. Yes, this means reading the NIST 800-171 document. At 76 pages, this may seem like an unwelcome chore, but it is significantly shorter than the NIST 800-53 document that applies to all government agencies rather than contractors alone – it runs to 462 pages. The 800-171 requirements are also organized and laid-out to aid in quick comprehension. Essentially, 800-171 consists of 110 distinct “controls” (requirements) that are grouped into 14 “control families.” Anyone familiar with other widely-adopted security frameworks such as ISO 20001 or those from the SANS Institute will find these control family categories instantly recognizable. As the linked document indicates, these 14 families are as follows. The letter “G” following most of these entries indicates which families are most susceptible to being satisfied via Genians’ various features and capabilities (more on that in a moment):
- Access Control | G
- Awareness and Training
- Audit and Accountability | G
- Configuration Management | G
- Identification and Authentication | G
- Incident Response
- Maintenance | G
- Media Protection | G
- Personnel Security | G
- Physical Protection
- Risk Assessment | G
- Security Assessment | G
- System and Communications Protection | G
- System and Information Integrity | G
While this list may appear daunting at first blush, each category is fully explained in the NIST 800-171 documentation. A quick review of some of the highlights reveals just how sensible the requirements are. “Access Control,” for example, focuses on ensuring that an organization’s information systems have their access limited to authorized individuals only, ensures that non-privileged users are not able to execute privileged functions, limits access to “Controlled Unclassified Information (CUI)” only to those authorized to review such material, limits the number of unsuccessful logon attempts, and tracks all access-related activity. Meanwhile, “Audit and Accountability” ensures that logs are properly created, protected, and retained in order to provide assurance that all system activity can be monitored in real-time and investigated retrospectively to support full systems audit capabilities. The results of those audits are likewise required to be retained and protected. Finally, to offer one more example of NIST’s intentions with 800-171, multiple “Configuration Management” requirements are also established – from restricting, disabling, and preventing the use of certain ports, protocols and services, to requiring the enforcement of certain security settings on all connected systems.
NIST lays out all 14 “families” of its security defense framework without dictating how an organization should or might implement security solutions to meet all 110 individual “controls.” This, then, is an organization’s greatest challenge: how to craft an effective solution that addresses the entire range of NIST demands? NIST offers no guidance in this regard. They also have no preference in terms of whether organizations implement the appropriate security solutions directly or through the use of managed services. All enterprises impacted by NIST 800-171 will need to grapple with these challenges. Organizations who do business with the government, or who in some way handle government data through a third-party, will now need to consider the dictates of 800-171 in their security solution product purchases and deployments going forward. That effort will be complicated especially because almost half of the 110 requirements put forward in this framework will require, at least initially, some sort of “manual intervention” and/or process development by the end-user organization in order to satisfy them. Developing enterprise-wide cybersecurity training is an example of one such requirement that will need to be addressed by end-user security professionals and their business associated alike. There is then, by definition, no one technology or cybersecurity product that can meet all 110 requirements simultaneously. The challenge at hand for end-users is therefore twofold: first, to address the manual work effort needed to satisfy almost half of the requirements; and second, to determine which product or products in the technology marketplace will have a clear and compellingly positive impact on meeting the other 50% of the framework’s demands.
Genians Can Help
Genian NAC is one such compelling solution. Of the 14 requirements categories discussed above, Genians’ Network Access Control feature set addresses some part of 11 of those categories – as noted in the above list of categories with the letter G following the relevant Genians-supported entries. The three “families” whose requirements it does not address involve establishing manual processes, such as awareness training, that no automated tool will be able to provide, or it involves manual, human intervention in the form of systems maintenance or physical security. Indeed, of the 63 controls that do not necessitate manual process intervention, Genians is able to address fully 55 of them. Again, the linked document spells out in detail the broad extent of Genians coverage for 800-171 compliance.
In summary, one needs to have both a significant number of manually-developed processes in place to achieve 800-171 compliance – and one needs to automate the remainder via advanced security tools and technology-supported processes. It’s also important to remember that it’s not sufficient simply to achieve compliance – one then has to maintain this heightened security profile in an ongoing fashion beyond that. Ensuring that such maintenance is, in fact, occurring in a demonstrable fashion will ultimately be the most challenging part of the equation.
Genians’ approach to ensuring that only approved devices, accompanied by legitimate logins with appropriate systems authorization levels, its strong focus on ensuring effective configuration management, including denying access to certain software while requiring the presence of others – such as up-to-date malware definitions – and its ability to log all access activities consistently and reliably makes it, even without mentioning the rest of its broad feature set, a very attractive candidate for helping your organization meet its NIST 800-171 obligations.