NIST COMPLIANCE REQUIREMENTS
Implementing Defense Federal Acquisition Regulation Supplement (DFARS) clauses that apply to all contractors who process, store, or transmit “covered defense information.” As a result, many businesses are required to implement the NIST 800-171 security framework.
Adopting the defense-in-depth methodology requires the implementation of the 14 families of controls leveraging existing practices and infrastructure. In addition, this creates opportunities to implement advanced solutions such as privilege management and next generation firewalls.
All requirements in the NIST 800-171 are traced to NIST 800-53 and most controls require both a procedural and technical control to implement the procedure. Here are some important considerations when investigating NIST compliant controls.
Control 1: Access Control - The Access Control requirement is the most salient control in the NIST 800-171. In general, this control family specifies limiting system access to authorized users and making sure those users are only able to do specified actions based on job functions (also known as the principle of least functionality). Separation of duties through security groups and Access Control Lists (ACLs) can be applied to meet this control.
Control 2: Awareness and Training - Leadership and employees should receive security and awareness training on secure usage of the information systems. This is essential to satisfying NIST 800-171 requirements. Conducting mandatory annual security training and exercises is necessary to keep employees lucid and vigilant.
Control 3: Audit and Accountability - NIST 800-71 Audit and Accountability requirements focus specifically on ensuring that an organization’s audit generation and reporting capabilities sufficiently support proper security monitoring and management.
Control 4: Configuration Management - Change is defined as the addition, modification, or removal of configuration items. Processes and standard configurations promote systematic changes to maintain integrity over time.
Control 5: Identification and Authentication - Identification and authentication requirements ensure systems are properly identifying users and verifying their identity prior to granting any access. Multi-Factor Authentication can be a key component to meeting this control.
Control 6: Incident Response - Organizations should have operational incident-handling capabilities that include adequate preparation, detection, analysis, containment, recovery, and user response activities.
Control 7: Maintenance - System maintenance should be performed at regular intervals to protect organizational information systems from zero-day attacks and other vulnerabilities.
Control 8: Media Protection - On-premise media should be physically protected and monitored to adequately prevent loss or theft.
Control 9: Personnel Security - Verifying and validating personnel though background checks and other vetting processes are important steps to onboarding procedures.
Control 10: Physical Protection - Physical protection can be enforced with alarm systems, locks, and security cameras.
Control 11: Risk Assessment - Standard assessments are needed to identify risks related to procedures, functions, and information systems. Implementing standard controls and security scans can be used to stay abreast of system vulnerabilities.
Control 12: Security Assessment - Auditing controls, processes, and procedures should be completed to validate that the security posture meets the NIST standards. An outside assessment can also be a validation of the security framework.
Control 13: System and Communications Protection - Highly secure firewalls should guard the perimeter of your organization and provide intrusion prevention/detection capabilities. Segmented networks are another best practice for both security and performance.
Control 14: System and Information Integrity - Keeping antivirus signatures up to date while scanning for viruses and malware is an essential step in maintaining system and information integrity. Malicious websites should be filtered with access denied from corporate resources.
Let us know if we can help! Understanding the NIST compliance controls can be both challenging and daunting, but Kingston Bay Technologies can help interpret how these controls can be applied to your environment to create both a compliant and secure infrastructure.