What is NIST?

Many organizations holding contracts or business with the federal government are faced with meeting NIST 800-171 compliance by December 2017 or risk losing their federal business.

Looking online and through the NIST handbook itself, does not provide many clues on how to meet this seemingly daunting task of ensuring that your CUI is protected and meets standards..

If you’re not familiar, “Controlled Unclassified Information” (CUI) supports federal missions and business functions that affect the economic and national security interests of the United States. Non-federal organizations (e.g. colleges, universities, state, local and tribal governments, federal contractors) often process, store, or transmit CUI.

Executive Order 13556 (11/10/2010) designated the National Archives and Records Administration (NARA) as the Executive Agent to implement the CUI program. NIST Special Publication 800-171 defines the security requirements for protecting CUI in non-federal information systems and organizations. 

There are 14 families of security requirements associated with the standard:

  1. Access Control
  2. Audit and Accountability
  3. Awareness and Training
  4. Configuration Management
  5. Identification and Authentication
  6. Incident Response
  7. Maintenance
  8. Media Protection
  9. Physical Protection
  10. Personnel Security
  11. Risk Assessment
  12. Security Assessment
  13. System and Communications Protection
  14. System and Information Integrity

Diving deeper… let’s look at an example for Configuration Management from Chapter 3, Requirement 4 in NIST 800-171.

BASIC SECURITY REQUIREMENTS (FROM FIPS PUBLICATION 200):

3.4.1 Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational information systems.

DERIVED SECURITY REQUIREMENTS (FROM NIST SPECIAL PUBLICATION 800-53):

3.4.3 Track, review, approve/disapprove, and audit changes to information systems.

3.4.4 Analyze the security impact of changes prior to implementation.

3.4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system.

3.4.6 Employ the principle of least functionality by configuring the information system to provide only essential capabilities.

3.4.7 Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services.

3.4.8 Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.

3.4.9 Control and monitor user-installed software.

With that background, consider that many of the organizations faced with this requirement are in a bit of a quandary, considering the reality of never having had to protect CUI at this level before. They don’t want to lose these important customers but at the same time, they don’t have the people or experience or technology to solve it...

Thats where Vigilant Cyber DNA comes in...

Through the combination of Vigilant’s CyberDNA passive traffick ontioring sensors and Managed Endpoint services Vigilant covers most of NIST 800-171 and NIST 800-181 requirements simply by turning up CyberDNA in your environment.  It’s that easy, in just 20 minutes with no configuration of your environment needed, you are covered with the most difficult and time consuming aspects of the NIST compliance goal.

Make CyberDNA the BEST WEAPON IN YOUR ARSENAL

VIGNIST.PNG

Vigilant offers a no cost, no obligation free “Proof of Value"

What do you get for doing a 5 day POV?
• 5 Day full analysis and forensics of your entire environment.
• Assessment report ($35K – $60K Value depending on your environment)
• Full access to Vigilant’s Analyst team and Portal for 5 days
• No Configuration needed from your team
• Installs in 20 Minutes to 1 Hour
• And don’t worry – if we you have an active incident that is identified during the
trial – we’ll do all Incident Response at no cost during the POV