Compliance with NIST

Similar documents
ROADMAP TO DFARS COMPLIANCE

NIST Special Publication

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

SAC PA Security Frameworks - FISMA and NIST

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

Rev.1 Solution Brief

Get Compliant with the New DFARS Cybersecurity Requirements

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

Controlled Unclassified Information (CUI) and FISMA: an update. May 12, 2017 Mark Sweet, Nancy Lewis, Grace Park Stephanie Gray, Alicia Turner

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Another Cook in the Kitchen: The New FAR Rule on Cybersecurity

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Cybersecurity Risk Management

Compliance with CloudCheckr

DFARS , NIST , CDI

PilieroMazza Webinar Preparing for NIST SP December 14, 2017

COMPLIANCE IN THE CLOUD

Altius IT Policy Collection Compliance and Standards Matrix

The FAR Basic Safeguarding Rule

Executive Order 13556

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Putting It All Together:

Why is the CUI Program necessary?

Altius IT Policy Collection Compliance and Standards Matrix

Security Architecture

Data Security and Privacy Principles IBM Cloud Services

Safeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

HIPAA Security and Privacy Policies & Procedures

Interagency Advisory Board Meeting Agenda, December 7, 2009

Daxko s PCI DSS Responsibilities

Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats

TEL2813/IS2820 Security Management

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Security Management Models And Practices Feb 5, 2008

Special Publication

Streamlined FISMA Compliance For Hosted Information Systems

Cybersecurity Challenges

IT-CNP, Inc. Capability Statement

Agency Guide for FedRAMP Authorizations

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

10/12/2017 WHAT IS NIST SP & WHY SHOULD I CARE ABOUT IT? OVERVIEW SO, WHAT IS NIST?

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Verizon Software Defined Perimeter (SDP).

Cyber security for digital substations. IEC Europe Conference 2017

Preparing for NIST SP January 23, 2018 For the American Council of Engineering Companies

Tinker & The Primes 2017 Innovating Together

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

DOD s New Cyber Requirements: Impacts on DOD Contractors and Subcontractors

2018 SRAI Annual Meeting October Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA

David Jenkins (QSA CISA) Director of PCI and Payment Services

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Vendor Security Questionnaire

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

PCI DSS Compliance. White Paper Parallels Remote Application Server

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

Safeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer

Cyber Risks in the Boardroom Conference

Enterprise SM VOLUME 1, SECTION 5.4: ANTI-VIRUS MANAGEMENT SERVICE

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Exhibit A1-1. Risk Management Framework

[DATA SYSTEM]: Privacy and Security October 2013

Introduction to AWS GoldBase

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

FedRAMP Digital Identity Requirements. Version 1.0

Managed Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management Framework Plan (RMFP)

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

DFARS Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

INTRODUCTION TO DFARS

David Missouri VP- Governance ISACA

BEYOND CJIS: ENHANCED SECURITY, NOT JUST COMPLIANCE

Security by Design Running Compliant workloads in AWS

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

01.0 Policy Responsibilities and Oversight

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Who Goes There? Access Control in Water/Wastewater Siemens AG All Rights Reserved. siemens.com/ruggedcom

NIST Security Certification and Accreditation Project

ALI-ABA Topical Courses ESI Retention vs. Preservation, Privacy and the Cloud May 2, 2012 Video Webcast

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

Handbook Webinar

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

locuz.com SOC Services

HIPAA Security Checklist

HIPAA Security Checklist

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Compliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations

The Common Controls Framework BY ADOBE

IASM Support for FISMA

TRACKVIA SECURITY OVERVIEW

NISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015

University of Pittsburgh Security Assessment Questionnaire (v1.7)

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1)

Compliance & Security in Azure. April 21, 2018

Transcription:

Compliance with NIST 800-171

1 What is NIST? 2 Do I Need to Comply? Agenda 3 What Are the Requirements? 4 How Can I Determine If I Am Compliant? 5 Corserva s NIST Assessments

What is NIST? NIST (National Institute of Standards and Technology) is part of the U.S. Department of Commerce. The National Institute of Standards and Technology (NIST) was founded in 1901, and is one of the nation's oldest physical science laboratories. Congress established the agency to remove a major challenge to U.S. industrial competitiveness at the time a second-rate measurement infrastructure that lagged behind the capabilities of the United Kingdom, Germany, and other economic rivals. The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation s measurement and standards infrastructure. NIST Defined

What is NIST SP800-171? NIST Special Publication 800-171 (originally created in June 2015 and updated in December 2016) specifically covers the protection of Controlled Unclassified Information (CUI). The requirements recommended for use in this publication are derived from FIPS Publication 200 and the moderate security control baseline in NIST Special Publication 800-53. NIST Special Publication 800-53 covers security controls for US federal information systems except those related to national security. The requirements and security controls have been determined over time to provide the necessary protection for federal information and systems which are covered under FISMA (Federal Information Security Modernization Act of 2014). NIST SP800-171 r1

What is CUI? Controlled Unclassified Information, CUI is defined as information created by the government, or an entity on behalf of the government, that is unclassified, but needs safeguarding. CUI is information that is sensitive and relevant to the interests of the United States and potentially its National Security, but not strictly regulated by the Federal government. Unclassified Information which is stored on Covered Contractor Information Systems. Controlled Unclassified Information

Examples of CUI Email Electronic files Blueprints, drawings Proprietary company/contractor information Physical records (printouts) Controlled Unclassified Information

1 What is NIST? 2 Do I Need to Comply? Agenda 3 What Are the Requirements? 4 How Can I Determine If I Am Compliant? 5 Corserva s NIST Assessments

Do I Need to Comply? Entities that deal with government controlled unclassified information must comply. Typical entities with this kind of information include universities, research institutions, consulting companies, service providers, and manufacturers. Many manufacturing companies are either prime contractors or sub for prime contractors for various government contracts. These entities will almost always have CUI on premise or in cloud/provider based systems and applications. Manufacturers must be compliant with NIST 800-171 by December 31, 2017. Is Compliance Mandatory?

Have I Been Notified? If you are a manufacturer, you may get notified by a prime contractor or subcontractor stating that you need to comply with NIST 800-171 by December 31 st of 2017. Notification can come directly (mail or email) or can come as a notification within a portal. You may not get notified at all. Is Compliance Mandatory?

1 What is NIST? 2 Do I Need to Comply? Agenda 3 What Are the Requirements? 4 How Can I Determine If I Am Compliant? 5 Corserva s NIST Assessments

NIST 800-171 Family of Requirements 3.1 Access Control 3.2 Awareness and Training 3.3 Audit and Accountability 3.4 Configuration Management 3.5 Identification and Authentication 3.6 Incident Response 3.7 Maintenance 3.8 Media Protection 3.9 Personnel Security 3.10 Physical Protection 3.11 Risk Assessment 3.12 Security Assessment 3.13 System and Communications Protection 3.14 System and Information Integrity NIST Requirements Family

Defining the NIST 800-171 Requirement Four types of data management requirements: 1. Controls Data management controls and processes 2. Monitoring/Management Real time monitoring/management of defined IT systems 3. End User Practices Documented, well defined end-user practices and procedures 4. Security Measures Implementation of defined security measures NIST Requirements

NIST 800-171 Requirement: Controls Controls Requirements Assess and develop appropriate security controls Development of Formal Policies and Procedures Creation and maintenance of audit records regarding access to CUI Secure transmission of data including encryption Encryption of data at rest NIST Requirements: Controls

NIST 800-171 Requirement: Monitoring/Management Monitoring/Management Requirements Monitor and manage user access to information systems Authenticate users and utilize multi-factor authentication Establish an operational incident management process Patch critical systems and scan for vulnerabilities Deploy anti-virus/malware solutions and monitor activity Monitor network traffic for malicious activity NIST Requirements: Monitoring/Management

NIST 800-171 Requirement: End User Practices End User Practices Requirements Training and awareness of end users and system administrators on proper procedures for handling CUI Management must define and execute minimum password complexity compliance NIST Requirements: End User Practices

NIST 800-171 Requirement: Security Measures Security Measures Requirements Assess and develop appropriate security controls Secure backup of CUI Create and enforce policies to prevent unauthorized software Identify, track, and restrict access to network/application ports (firewall/systems) NIST Requirements: Security Measures

Summary of NIST 800-171 Requirements NIST Requirements: Summary

1 What is NIST? 2 Do I Need to Comply? Agenda 3 What Are the Requirements? 4 How Can I Determine If I Am Compliant? 5 Corserva s NIST Assessments

How Can I Determine Compliance? The easiest route to determining your compliance status is an assessment by an outside 3 rd party. The assessment should consist of three phases: 1. information gathering 2. data analysis 3. preparation of findings for presentation to management From this assessment, you will have a specific roadmap to follow in order to achieve compliance. Determining Compliance

1 What is NIST? 2 Do I Need to Comply? Agenda 3 What Are the Requirements? 4 How Can I Determine If I Am Compliant? 5 Corserva s NIST Assessments

What Does a NIST Assessment Project Look Like? Several stages involved: Business process review Technical assessment (systems and network) Data analysis Post assessment: plan for ongoing validation on a regular basis What Can You Expect

About Corserva Founded in 1985 as a division of the Dun & Bradstreet Corporation Focused on providing advanced technology solutions to mid market and enterprise clients Managed Services include IT Managed Infrastructure, Managed Security, and Backup/Recovery Life Cycle services include full life cycle management for all IT devices Cloud Services including Private Cloud and Hybrid Cloud Experienced, trained and certified engineers in every major IT discipline Finely tuned operations capabilities, including 24 X 7 network operations and security monitoring All services supported by two highly certified data centers (HIPAA and PCI compliance) A number of clients in the manufacturing sector Experienced provider of IT assessments including those for NIST and HIPAA www.corserva.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback