NIST 800-171 Compliance with CimTrak

Get-Secure-Stay-Protected-Prove-It-No-Outline

 

Protecting CUI in Non-Federal Systems and Organizations

NIST special publication 800-171, called the Defense Federal Acquisition Regulation Supplement (DFARS), deals with the unique risk existing when information is managed and controlled in nonfederal systems and organizations where Controlled Unclassified Information (CUI) is processed, stored and transmitted.

CimTrak provides detailed alerts, reports, and controls to common criteria sections including:

NIST 800-171 Rev2

  • 3.1  - ACCESS CONTROL 

  • 3.3 -  AUDIT AND ACCOUNTABILITY

  • 3.4 - CONFIGURATION MANAGEMENT

  • 3.8 - MEDIA PROTECTION

  • 3.11 - RISK ASSESSMENT

  • 3.12 - SECURITY ASSESSMENT

  • 3.13 SYSTEM AND COMMUNICATIONS PROTECTION

  • 3.14 SYSTEM AND INFORMATION INTEGRITY

 

solutions-laptop-home

How CimTrak Helps with NIST 800-171 

Compliance and Auditing

Continuous compliance with prescriptive steps to remediate failed systems ensuring they are in a trusted and expected state.

Risk Management

Monitor critical configurations to ensure a compliant state. CimTrak operates in real-time enabling Mean-Time-To-Identify (MTTI) security incidents in seconds.

Managing Vulnerabilities

Monitor your environment. Don’t let unauthorized access occur with your routers, firewalls, and network devices.

What about NFO Controls?

NIST 800-171 is comprised of 14 control categories totaling 110 controls in addition to another 62 Non-Federal Organization (NFO) controls.

  • As defined by NIST 800-171, NFO controls are “expected to be routinely satisfied by non-federal organizations without specification.”
  • In this context, the term “without specification” means that NIST approaches these NFO requirements as basic expectations that do not need a detailed description, since they are fundamental components of any organization’s security program.

Of the 14 control categories, 110 controls and 62 NFO controls, CimTrak addresses 8 control categories, 33 discrete controls and 13 NFO controls.

  • A crosswalk is given for all CimTrak products if they provide a control, automated scan, or enable a process, procedure or policy to assist with the evidence collection to meet the objective of a defined domain, category, control, standard, component or assessment factor.

NFO Controls CimTrak Addresses

  • SA-10 Developer Configuration Management
  • SI-1 System and Information Integrity Policy and Procedures
  • SI-4(5) Information System Monitoring | System-Generated Alerts
  • AU-1 Audit and Accountability Policy and Procedures
  • CA-7(1) Continuous Monitoring | Independent Assessment
  • CM-1 Configuration Management Policy and Procedures
  • CM-2(1) Baseline Configuration | Reviews and Updates
  • CM-2(7) Baseline Configuration | Configure Systems, Components, or Devices for High-Risk Areas
  • CM-3(2) Configuration Change Control Test / Validate / Document Changes
  • CM-8(5) Information System Component Inventory | No Duplicate Accounting of Components
  • CM-9 Configuration Management Plan
  • RA-5(1) Vulnerability Scanning | Update Tool Capability
  • RA-5(2) Vulnerability Scanning | Update by Frequency / Prior to New Scan / When Identified

Complying with 800-171 does not mean you will automatically pass a CMMC audit, as CMMC includes 3 additional domains (Asset Management, Recovery, and Situation Awareness) and 2 non-NIST 800-171 controls.

CimTrak Simplifies NIST 800-171 Compliance

DETAILED AUDIT REPORTS AND FORENSIC EVIDENCE

CimTrak provides the forensic analysis of outages and security incidents in real-time. Forensic details include what
files were added/modified/deleted, source IP address, the user who made the change, time of change, and process involved.

ROLL-BACK/RESTORE

CimTrak has a unique functionality where it can manually or automatically roll-back and restore files that drift from a knows and expected state. This is particularly important with system attributes and configuration settings that should NEVER change.  This feature positively impacts mean-time-to-repair/restore/recover (MTTR) to prevent both security incidents and operational failures.

nist cta horizontal

CONTINUOUS MONITORING

Given CimTrak’s patented real-time change detection capability, immediate notification and remediation options are available to ensure that any potential threat, both internal and external, does not permeate throughout the organizations. CimTrak’s mean time to detect (MTTD) malicious and unwanted changes is measured in minutes as opposed to the industry average of 195 days.

ALERTING

CimTrak’s ticketing functionality integrates with ITSM technologies creating a closed-loop environment of change management to reconcile expected and approved changes.
This approach drastically reduces the "noise" problem when authorized/expected changes (i.e. patches) are logged and
achieved leaving only those alerts that highlight unknown, unauthorized and potentially malicious changes or activity.

When CimTrak detects changes, CimTrak's Trusted File Registry (TFR) which is a database repository of known and
trusted files as determined by the software vendors themselves, validates and verifies the trust and integrity of individual files. The TFR database has several billion
cryptographic hashes of trusted files including source and meta-level information associated with each file.

REQUIREMENT 3.1 ACCESS CONTROL
   

 Cross Mappings

   
3.1 ACCESS CONTROL(AC)

CMMC#

800-83 HOW CIMTRAK HELPS
3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). AC.1.001 AC-2
AC-3
AC-17
CimTrak has the capability of restricting and preventing access and changes to systems files, directories and other critical operating components and reporting forensic level data.
3.1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. AC.1.002 AC-2
AC-3
AC-17
 
3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion. AC.3.017 AC-5  
3.1.7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions. AC.3.018 AC-6(9)
AC-6(10)
 
3.1.9 Provide privacy and security notices consistent with applicable CUI rules. AC.2.005 AC-8  

 

REQUIREMENT 3.3 AUDIT AND ACCOUNTABILITY
    Cross Mappings  
3.3 AUDIT AND ACCOUNTABILITY CMMC# 800-53 How CimTrak Helps
3.3.1 Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity. AU.2.042 AU-2
AU-3
AU-3(1)
AU-6
AU-11
AU-12
CimTrak detects changes from a trusted and secure baseline across a broad range of systems and applications in the IT environment and generates comprehensive audit trails, reporting and forensic details to investigate unauthorized changes and activities. Audit trails and reports generated by CimTrak include information on "who" is making a change so that it can be directly traced to a system user. CimTrak's ability to capture information in real-time means that abnormal change events can be investigated immediately, thus ensuring the maximum security of sensitive data.
3.3.2 Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions. AU.2.041 AU-2
AU-3
AU-3(1)
AU-6
AU-11
AU-12
CimTrak provides forensic details about actions of individuals including; what they were looking at, Source IP address, if changes were made, the user who made the change, time of change, and process involved.
3.3.5 Use automated mechanisms to integrate and correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity. AU.3.051 AU-6(3) CimTrak can seamlessly detect in real-time change events and send to most any Security Information and Event Manager (SIEM) where they can be further analyzed and correlated. Integration with a SIEM is easy and done directly from the CimTrak Management Console.
3.3.6 Provide audit reduction and report generation to support on-demand analysis and reporting. AU.3.052 AU-7 CimTrak provides real-time audit information and can generate reports on a set schedule, or on-demand. Both audit trails and reports are extremely detailed and provide a wealth of information regarding changes including "who" made the change, "what" exactly changed, "when" it changed, and "what process" made the change.
3.3.8 Protect audit information and audit tools from unauthorized access, modification, and deletion. AU.3.049 AU-6(7)
AU-9
CimTrak audit trails are stored within the CimTrak Master Repository in a secure, encrypted format where alterations are not able to take place.
3.3.9 Limit management of audit functionality to a subset of privileged users. AU.3.050 AU-6(7)
AU-9(4)
Viewing of CimTrak audit data can be restricted to only certain, approved users.
REQUIREMENT 3.4 CONFIGURATION MANAGEMENT
    Cross Mappings  
3.4 CONFIGURATION MANAGEMENT CMMC# 800-53 How CimTrak Helps
3.4.1 Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. CM.2.061 CM-2
CM-6
CM-8
CM-8(1)
CimTrak's core competency is to keep data secure by establishing, maintaining, and monitoring system baselines. Baselines can be created at any point throughout a system's lifecycle. System baselines are securely stored within the CimTrak Master Repository where they are monitored for changes. Changes to a system's baseline can be tracked over time and alerts issued should an unexpected change occur, indicating a possible compromise.
3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational information systems. CM.2.064 CM-2
CM-6
CM-8
CM-8(1)
CimTrak provides historical configuration setting to establish a chain of evidence and root of trust. CimTrak's patented real-time change detection and response technology provides a closed-loop change control system that covers everything from servers and desktops to cloud configurations, hypervisors, container orchestration, databases and more. CimTrak has a built-in ticketing system that can be used standalone or in unison with leading ITSM vendors to capture authorized work orders to reconcile expected changes with observed leaving unwanted and unexpected changes highlighted for review and/or remediation.  CimTrak provides manual or automated roll-back capability as well as change prevention for those files, directories or configurations that should never change. CimTrak also provides both black and whitelisting correlation, STIX/TAXII feeds and file reputation services to provide more contextual information to help identify what should and should not be running in your environment.
3.4.3 Track, review, approve/disapprove, and audit changes to information systems. CM.2.065 CM-3
3.4.4 Analyze the security impact of changes prior to implementation. CM.2.066 CM-4
3.4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system. CM.3.067 CM-5
3.4.6 Employ the principle of least functionality by configuring the information system to provide only essential capabilities. CM.2.062 CM-7 CimTrak leverages the best practices of both CIS benchmarks as well as DISA STIGs to establish a referenceable configuration baseline of trust. Deviations to this baseline are detected in real-time to ensure there is no integrity drift from a known and trusted reference point.  This includes the addition, modification and deletion of software applications.
3.4.7 Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services. CM.3.068 CM-7(1)
CM-7(2)
CimTrak provides historical configuration setting to establish a chain of evidence and root of trust. CimTrak's patented real-time change detection and response technology provides a closed-loop change control system that covers everything from servers and desktops to cloud configurations, hypervisors, container orchestration, databases, and more. CimTrak has a built-in ticketing system that can be used standalone or in unison with leading ITSM vendors to capture authorized work orders to reconcile expected changes with observed leaving unwanted and unexpected changes highlighted for review and/or remediation.  CimTrak provides manual or automated roll-back capability as well as change prevention for those files, directories or configurations that should never change. CimTrak also provides both black and whitelisting correlation, STIX/TAXII feeds and file reputation services to provide more contextual information to help identify what should and should not be running in your environment.
3.4.8 Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. CM.3.069
CM.4.073
CM-7(4)
CM-7(5)
3.4.9 Control and monitor user-installed software. CM.2.063 CM-11 CimTrak can identify user-installed software in order to ensure unneeded or unallowed software is not installed.
REQUIREMENT 3.8 MEDIA PROTECTION
    Cross Mappings  
3.8  MEDIA PROTECTION CMMC# 800-53 How CimTrak Helps
3.8.9 Protect the confidentiality of backup CUI at storage locations. RE.2.138 CP-9 CimTrak stores and protects information for the purpose of providing roll-back and remediation in the event that a change occurred that was unwanted or unexpected.  That data is securely stored and encrypted to ensure non-repudiation of the data in question.
REQUIREMENT 3.11 RISK ASSESSMENT
    Cross Mappings  
3.11 RISK ASSESSMENT CMMC# 800-53 How CimTrak Helps
3.11.2 Scan for vulnerabilities in the information system and applications periodically and when new vulnerabilities affecting the system are identified. RM.2.142 RA-5
RA-5(5)
CimTrak can scan and detect vulnerabilities utilizing threat intelligence feeds as well as white/blacklisting cloud services.
3.11.3 Remediate vulnerabilities in accordance with assessments of risk. RM.2.143 RA-5 CimTrak provides the capability to remediate certain vulnerabilities, and prevent many vulnerabilities from occurring based on its ability to detect and identify in real-time malicious code obtained through black/whitelisting services.
REQUIREMENT 3.12 SECURITY ASSESSMENT
    Cross Mappings  
3.12 SECURITY ASSESSMENT CMMC# 800-53 How CimTrak Helps
3.12.3 Monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls. CA.3.161 CA-2
CA-5
CA-7
PL-2
CimTrak is a critical detective control used to determine the integrity of infrastructure and the adherence to processes that determines a majority of all compliance requirements.
REQUIREMENT 3.13 SYSTEM AND COMMUNICATIONS PROTECTION
    Cross Mappings  
3.13 SYSTEM AND COMMUNICATIONS PROTECTION CMMC# 800-53 How CimTrak Helps
3.13.16 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). SC.3.191 SC-28 CimTrak is the underlying integrity component that validates and verifies that boundary protection systems have not drifted from a known, expected or trusted state of operation. All sessions for management of systems and network devices are encrypted as well as the CUI while at rest.
3.13.3 Separate user functionality from information system management functionality. SC.3.181 SC-2——
REQUIREMENT 3.14 SYSTEM AND INFORMATION INTEGRITY
    Cross Mappings  
3.14 SYSTEM AND INFORMATION INTEGRITY CMMC# 800-53 How CimTrak Helps
3.14.1 Identify, report, and correct information and information system flaws in a timely manner. SI.1.210 SI-2
SI-3
SI-5
CimTrak integrity management monitors and alerts in real-time unexpected and unwanted changes that can identify system flaws and threats with its cloud integrated services that include white listing, STIX/TAXII feeds and file reputation.
3.14.2 Provide protection from malicious code at appropriate locations within organizational information systems. SI.1.211 SI-2
SI-3
SI-5
CimTrak integrity management monitors and alerts in real-time unexpected and unwanted changes that can identify system flaws and threats with its cloud integrated services that include white listing, STIX/TAXII feeds and file reputation. CimTrak and also prevent file execution based on any combination of the cloud services and feeds.
3.14.2e Provide protection from malicious code at appropriate locations within organizational information systems. SI.5.223 SI-4 CimTrak monitors and reports in real-time change activity from a variety of trusted sources and workflow processes to determine if changes to your infrastructure are unknow, unwanted or malicious
3.14.3 Monitor information system security alerts and advisories and take appropriate actions in response. SI.2.214 SI-2
SI-3
SI-5
CimTrak integrity management monitors and alerts in real-time unexpected and unwanted changes that can identify system flaws and threats with its cloud integrated services that include white listing, STIX/TAXII feeds and file reputation.
3.14.4 Update malicious code protection mechanisms when new releases are available. SI.1.212 SI-3 CimTrak integrity management monitors and alerts in real-time unexpected and unwanted changes that can identify system flaws and threats with its cloud-integrated services that include white listing, STIX/TAXII feeds and file reputation. CimTrak and also prevent file execution based on any combination of the cloud services and feeds.
3.14.5 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. SI.1.213 SI-3
3.14.6 Monitor the information system including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. SI.2.216 AU-2
AU-2(3)
AU-6
SI-4
SI-4(4)
CimTrak monitors and reports in real-time change activity from a variety of trusted sources and workflow processes to determine if changes to your infrastructure are unknow, unwanted or malicious
3.14.6e   SI.4.221 SI-5
SI-5(1)
CimTrak integrity management monitors and alerts in real-time unexpected and unwanted changes that can identify system flaws and threats with its cloud integrated services that include whitelisting, STIX/TAXII feeds and file reputation.
3.14.7 Identify unauthorized use of the information system. SI.2.217 SI-4 CimTrak monitors and reports in real-time change activity from a variety of trusted sources and workflow processes to determine if changes to your infrastructure are unknow, unwanted or malicious