Data Security and NIST Compliance
When hearing the words NIST Compliance, businesses not familiar with the Federal Information Security Management Act (FISMA) terminology and procedures may cringe, but they don't have to. National Institute of Standards and Technology (NIST) compliance and data security is required for DOD contractors and sub-contractors.
Organizations working and dealing with controlled unclassified information must comply with NIST SP 800-171. As a subset of NIST 800-53, the latest NIST SP 800-171 release covers Controlled Classified Information (CUI).
Defining NIST Compliance
Before the requirements of NIST are discussed, it is best to define compliance-related terms.
- Controlled Unclassified Information (CUI) : CUI is sensitive information that relates to the interests of the US, but not regulated by the Federal governments.
- Federal Information Security Management Act (FISMA): Federal law enacted in 2002 requiring federal agencies to develop, implement and document infosec programs.
- Categories within FISMA include:
- System Integrity (SI)
- Configuration Management (CM)
- Incident Response (IR)
- Audit (AU)
FISMA is often considered the regulatory standard for government cybersecurity factions.
- National Institute of Standards and Technology (NIST): Non-regulatory agency of the United States Department of Commerce
- NIST 800-171: Provides federal agencies with recommended requirements for protecting the confidentiality of CUI. The most current compliance requirements were enacted 31-December-2017.
- NIST 800-53: Defines the guidelines and standards for federal agencies to manage their information security systems. It also notes what should be covered for security control selection within the Federal Information Processing Standard (FIPS). NIST 800-53 has been around since 2005 with current updates occurring in 2017.
The guidelines, resources, and security controls put together by NIST are considered a standard for best practices, and even used by other compliance requirements such as HIPAA, NERC, and PCI DSS.
KEY TAKE-AWAYS FOR NIST 800-53
The purpose of FISMA is to develop and enforce key security standards and guidelines for handling data. The goal is to see these requirements are in compliance to these standards throughout federal government entities. Information security management is top of mind for many.
The security controls in NIST Special Publication 800-53 are designed to facilitate compliance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Compliance is not about adhering to static checklists or generating unnecessary FISMA reporting paperwork. Rather, compliance necessitates organizations executing due diligence with regard to information security and risk management.
KEY TAKE-AWAYS FOR NIST 800-171
As a framework put in place to protect Controlled Unclassified Information (CUI), NIST 800-171 discusses the necessity of ensuring the integrity and availability of US Federal Government data through the implementation of NIST.
Chapter 3 of NIST 800-171 focuses on the requirements for protecting the confidentiality of CUI.
3.1 ACCESS CONTROL
Are there limits for authorized users? Are you aware of who has access within your organization?
3.2 AWARENESS AND TRAINING
Are employees trained? More importantly, are employees aware of the risks associated with non-compliance for data security?
3.3 AUDIT AND ACCOUNTABILITY
Can you identify users who violate the policy? Are you able to provide records and a complete audit trail of these actions?
3.4 CONFIGURATION MANAGEMENT
Do you have a an established baseline configured? Are all changes and restrictions tracked and documented? Is there continuous monitoring?
3.5 IDENTIFICATION AND AUTHENTICATION
How are users verified? Pay special attention to passwords and the processes for allowing the storage and transmission of passwords.
3.6 INCIDENT RESPONSE
Is there a system put in place that is capable of documenting and managing all aspects of an incident response? Is there an information security management plan?
Are maintenance checks run on your information systems annually? How is this achieved?What security controls have been put in place?
3.8 MEDIA PROTECTION
Who has access to backups and even hard copy records?
3.9 PERSONNEL SECURITY
Is a screening process in place before an individual can access CUI?
3.10 PHYSICAL PROTECTION
Are physical security standards evaluated and practiced? Is the data secure from a physical perspective?
3.11 RISK ASSESSMENT
Are vulnerabilities assessed and scanned for?
3.12 SECURITY ASSESSMENT
Are the effectiveness of the controls measured and monitored?
3.13 SYSTEM AND COMMUNICATIONS PROTECTION
Is there a regular monitoring and continuous monitoring of all data transmissions and endpoints?
3.14 SYSTEM AND INFORMATION INTEGRITY
Are you able to quickly identify, detect, and remediate threats?
Integrity Monitoring for NIST Compliance
Configuration management, audit categories, and mappings between NIST 800-171 and 800-53 does not have to be challenging or difficult. With a file integrity monitoring (FIM) tool can help organizations meet and maintain FISMA System Integrity (SI).
Advanced monitoring tools are needed to automatically monitor the integrity of the information systems and the applications it hosts.
Once information system needs for auditing requirements are identified, your FIM solution should provide change variance reporting all critical elements including operating system, configuration file application and network device integrity, registry keys, user profiles, and change.A FIM tool should also be able to identify user-installed software, ensuring unneeded, or restricted software is not installed. It also beneficial to have real-time file and malware analysis, cloud security, and threat feed integration, providing greater insight into your organization. File integrity monitoring software should also provide a wide array of customized reports can provide a level of granularity needed to keep your organization secure.
File integrity monitoring (FIM) software should monitor systemic function and auditing tenets such as
- File system read access
- Registry access and change
- System user control
- System group control
- Local security policies
- System and application services
- Windows hardware interfaces
- Deployed software
Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".