Why Does NIST 800 Matter to My Organization?
First, NIST 800 are policy directives on how to set up and secure one of the largest IT environments in the country. The special publications in most cases represent the best practices for keeping an IT environment safe and secure. While not necessarily all publications are applicable to all organizations, many organizations model their own IT security on information from NIST 800. Second, companies seeking to contract for the federal government need a degree of compliance with NIST 800. In particular, NIST Special Publication 800-171, Protecting Controlled Unclassified Information(“CUI”) in Nonfederal Information Systems and Organizations spells out compliance requirements for current and prospective contractors.
CUI Program and Scope
According to Special Publication 800-171 “The CUI Program is designed to address several deficiencies in managing and protecting unclassified information to include inconsistent markings, inadequate safeguarding, and needless restrictions, both by standardizing procedures and by providing common definitions through a CUI registry” (Page 1). It is under that registry that ETTE works to provide companies the particular requirements and baselines to acquire and maintain compliance.NIST understand that companies might have a hard time having a full, comprehensive infrastructure that would compare to federal environment. This is why, “If nonfederal organizations entrusted with protecting CUI designate specific information systems or system components for the processing, storage, or transmission of CUI, then the organizations may limit the scope of the CUI security requirements to those particular systems or components.” (Page 2).Instead of creating an entire network under NIST regulation, ETTE can develop and partition a highly secured subnetwork. This subnetwork is also a more cost-effective solution for small and medium organizations to perform federal related services or tasks.
CUI Fundamental Requirements
The CUI programs have 3 fundamental security requirements that have to be met in any circumstance:“Statutory and regulatory requirements for the protection of CUI are consistent, whether such information resides in federal information systems or nonfederal information systems including the environments in which those systems operate;Safeguards implemented to protect CUI are consistent in both federal and nonfederal information systems and organizations; andThe confidentiality impact value for CUI is no lower than moderate in accordance with Federal Information Processing Standards (FIPS) Publication 199.” (Page 5)
ETTE’s Compliance Solution
ETTE understands the unique security and compliance ecosystem that many of our customers live in. We want your business to comply with any regulation it needs to. For this, we follow NIST Special Publication 800-171 regulations to make sure your IT environment is fully compliant.CUI’s security system is divided into fourteen categories, (referred to as “Families”) described in Chapter Three of Special Publication 800-171:
- Access Control: Ensure the IT environment is accessible only by authorized users, and authorized users can only access their relevant data and functions.
- Awareness and Training: Ensure that users and IT professionals understand security risks and what they may do to minimize those risks.
- Audit and Accountability: Track the IT environment with audit records to monitor report inappropriate activity with data granularity to the individual user.
- Configuration Management: Establish and maintain IT environmental baselines, and enforce policy configuration settings that environment.
- Identification and Authentication: Authenticate the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
- Incident Response: Establish a system for preventing, handling, and reporting IT security incidents.
- Maintenance: Maintain the IT environment and provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct that maintenance.
- Media Protection: Securely store physical and electronic CUI data, providing access only to authorized users and sanitize information media prior to re-use or disposal.
- Personnel Security: Screen personnel prior to granting CUI access, and ensure systems are protected in the event of personnel transfers and terminations.
- Physical Protection: Monitor and limit physical access to CUI to authorized individuals.
- Risk Assessment: Periodically test and assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of CUI.
- Security Assessment: Perform periodic tests to ensure physical and electronic security controls are operating the property and provide adequate effective security.
- System and Communications Protection: Monitor, control, and protect information transmitted or received by the IT environment at the external boundaries and key internal boundaries of the environment.
- System and Information Integrity: Provide protection from malicious code at appropriate locations within the IT environment. Monitor information system security alerts and advisories and take appropriate actions, including incident reporting, in response.
For a basic typical CUI Secured environment, ETTE provides an affordable package of the following services to address and provide compliance for the fourteen families:
- Baseline inventory and setups for information systems, including hardware, software, firmware, network access points, and documentation.
- High-level security for technology products used for federal purposes. ETTE can develop the most appropriate solution for your organization including elements such as next-gen endpoint protection, two-factor authentication, and end-user security training.
- Comprehensive documentation for any and all changes to your IT environment, including prior analysis, chain of approval, audits, authorized user rosters, accesses, and permissions.
- Custom setup and configuration to limit the use of nonessential products and nonessential capabilities
- Black (blocked) and White (trusted) lists for websites and programs
- 24/7 Monitoring agent
- IT security plan maintenance (see below)
IT Security Plan Development
To ensure CUI security compliance, the best practice calls for an IT Security Plan. In many instances, such a plan is REQUIRED to do business with the Federal government or act as a subcontractor to larger contracting organizations. ETTE can help your organization develop a compliant IT security plan. We conduct the initial development of the IT Security Plan consultative; following the security regulations for your particular industry. The plan also takes into consideration your organization’s size current system and budget. The plan will provide a clear indication of how each element of the plan addresses one or more of the fourteen families required for CUI compliance. The initial plan development is an affordable billable project, while ongoing maintenance of the plan is included as part of the compliance solution.
What is NIST 800?
The National Institute of Standards and Technology (NIST) is the US Government Agency charged with setting the IT standards for the Civilian Government. The number “800” refers to a series of Special Publications that set the federal government security policies procedures and guidelines.