Compliance with NIST 800-171
1 What is NIST? 2 Do I Need to Comply? Agenda 3 What Are the Requirements? 4 How Can I Determine If I Am Compliant? 5 Corserva s NIST Assessments
What is NIST? NIST (National Institute of Standards and Technology) is part of the U.S. Department of Commerce. The National Institute of Standards and Technology (NIST) was founded in 1901, and is one of the nation's oldest physical science laboratories. Congress established the agency to remove a major challenge to U.S. industrial competitiveness at the time a second-rate measurement infrastructure that lagged behind the capabilities of the United Kingdom, Germany, and other economic rivals. The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation s measurement and standards infrastructure. NIST Defined
What is NIST SP800-171? NIST Special Publication 800-171 (originally created in June 2015 and updated in December 2016) specifically covers the protection of Controlled Unclassified Information (CUI). The requirements recommended for use in this publication are derived from FIPS Publication 200 and the moderate security control baseline in NIST Special Publication 800-53. NIST Special Publication 800-53 covers security controls for US federal information systems except those related to national security. The requirements and security controls have been determined over time to provide the necessary protection for federal information and systems which are covered under FISMA (Federal Information Security Modernization Act of 2014). NIST SP800-171 r1
What is CUI? Controlled Unclassified Information, CUI is defined as information created by the government, or an entity on behalf of the government, that is unclassified, but needs safeguarding. CUI is information that is sensitive and relevant to the interests of the United States and potentially its National Security, but not strictly regulated by the Federal government. Unclassified Information which is stored on Covered Contractor Information Systems. Controlled Unclassified Information
Examples of CUI Email Electronic files Blueprints, drawings Proprietary company/contractor information Physical records (printouts) Controlled Unclassified Information
1 What is NIST? 2 Do I Need to Comply? Agenda 3 What Are the Requirements? 4 How Can I Determine If I Am Compliant? 5 Corserva s NIST Assessments
Do I Need to Comply? Entities that deal with government controlled unclassified information must comply. Typical entities with this kind of information include universities, research institutions, consulting companies, service providers, and manufacturers. Many manufacturing companies are either prime contractors or sub for prime contractors for various government contracts. These entities will almost always have CUI on premise or in cloud/provider based systems and applications. Manufacturers must be compliant with NIST 800-171 by December 31, 2017. Is Compliance Mandatory?
Have I Been Notified? If you are a manufacturer, you may get notified by a prime contractor or subcontractor stating that you need to comply with NIST 800-171 by December 31 st of 2017. Notification can come directly (mail or email) or can come as a notification within a portal. You may not get notified at all. Is Compliance Mandatory?
1 What is NIST? 2 Do I Need to Comply? Agenda 3 What Are the Requirements? 4 How Can I Determine If I Am Compliant? 5 Corserva s NIST Assessments
NIST 800-171 Family of Requirements 3.1 Access Control 3.2 Awareness and Training 3.3 Audit and Accountability 3.4 Configuration Management 3.5 Identification and Authentication 3.6 Incident Response 3.7 Maintenance 3.8 Media Protection 3.9 Personnel Security 3.10 Physical Protection 3.11 Risk Assessment 3.12 Security Assessment 3.13 System and Communications Protection 3.14 System and Information Integrity NIST Requirements Family
Defining the NIST 800-171 Requirement Four types of data management requirements: 1. Controls Data management controls and processes 2. Monitoring/Management Real time monitoring/management of defined IT systems 3. End User Practices Documented, well defined end-user practices and procedures 4. Security Measures Implementation of defined security measures NIST Requirements
NIST 800-171 Requirement: Controls Controls Requirements Assess and develop appropriate security controls Development of Formal Policies and Procedures Creation and maintenance of audit records regarding access to CUI Secure transmission of data including encryption Encryption of data at rest NIST Requirements: Controls
NIST 800-171 Requirement: Monitoring/Management Monitoring/Management Requirements Monitor and manage user access to information systems Authenticate users and utilize multi-factor authentication Establish an operational incident management process Patch critical systems and scan for vulnerabilities Deploy anti-virus/malware solutions and monitor activity Monitor network traffic for malicious activity NIST Requirements: Monitoring/Management
NIST 800-171 Requirement: End User Practices End User Practices Requirements Training and awareness of end users and system administrators on proper procedures for handling CUI Management must define and execute minimum password complexity compliance NIST Requirements: End User Practices
NIST 800-171 Requirement: Security Measures Security Measures Requirements Assess and develop appropriate security controls Secure backup of CUI Create and enforce policies to prevent unauthorized software Identify, track, and restrict access to network/application ports (firewall/systems) NIST Requirements: Security Measures
Summary of NIST 800-171 Requirements NIST Requirements: Summary
1 What is NIST? 2 Do I Need to Comply? Agenda 3 What Are the Requirements? 4 How Can I Determine If I Am Compliant? 5 Corserva s NIST Assessments
How Can I Determine Compliance? The easiest route to determining your compliance status is an assessment by an outside 3 rd party. The assessment should consist of three phases: 1. information gathering 2. data analysis 3. preparation of findings for presentation to management From this assessment, you will have a specific roadmap to follow in order to achieve compliance. Determining Compliance
1 What is NIST? 2 Do I Need to Comply? Agenda 3 What Are the Requirements? 4 How Can I Determine If I Am Compliant? 5 Corserva s NIST Assessments
What Does a NIST Assessment Project Look Like? Several stages involved: Business process review Technical assessment (systems and network) Data analysis Post assessment: plan for ongoing validation on a regular basis What Can You Expect
About Corserva Founded in 1985 as a division of the Dun & Bradstreet Corporation Focused on providing advanced technology solutions to mid market and enterprise clients Managed Services include IT Managed Infrastructure, Managed Security, and Backup/Recovery Life Cycle services include full life cycle management for all IT devices Cloud Services including Private Cloud and Hybrid Cloud Experienced, trained and certified engineers in every major IT discipline Finely tuned operations capabilities, including 24 X 7 network operations and security monitoring All services supported by two highly certified data centers (HIPAA and PCI compliance) A number of clients in the manufacturing sector Experienced provider of IT assessments including those for NIST and HIPAA www.corserva.com