Home | Our Services

NIST Standards

Benefits of NIST Implementation

Aside from being a requirement for award eligibility with the DoD, the benefits provided by implementing NIST SP 800.171 controls in your environment are quite substantial. They offer a robust set of guidelines to meet that ensure your organization has an effectively secure environment for its information systems. With upcoming regulations based upon the NIST SP 800.171 standard, now is the perfect time to begin implementation in order to stay ahead of the curve and not be left behind during the rush for future standards. Even if your organization doesn’t have a DFARS requirement due to no working relationships with the DoD, using the 800.171 controls as a baseline for implementing an information security program is a great idea because of its wide range of security avenues covered in its controls. With this implementation, you can be more confident that your information system is secured and that your organization is better prepared for any cyber-attacks that may occur.  Using the NIST 800.171 as a framework, the following benefits may be realized:

What are NIST Security Controls?

The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the US Department of Commerce that develops and issues standards, guidelines, and other publications to assist in implementing the Federal Information Security Modernization Act of 2014 (FISMA) and to help with managing cost effective programs to protect their information and information systems. 

There are two primary NIST publications to consider when determining what security controls apply to your company. There is NIST SP 800.53, and NIST SP 800.171, two very similar sets of controls designed for different business environments.

NIST SP 800.53 NIST SP 800.53 is a set of security controls intended for federal information systems and organizations. It is a large but flexible set of controls designed to meet the needs of agencies of varying size. The controls can vary between low, moderate, and high impact configurations depending on the security requirements of the agency and what can reasonably be achieved in that agency. It is important to note that 800.53 is only intended for federal information systems, so if your company is not a federal agency or is not operating a federal information system on behalf of the government then 800.53 will not apply to you. For all other contractors that handle CUI, DFARS and 800.171 are the publications to pay attention to.

NIST SP 800.171 – NIST SP 800.171 is a streamlined version of 800.53 created specifically to be applied to non-federal businesses enforced under DFARS. Prior to the publishing of DFARS 252.204-7012 only a few select controls from 800.53 were required, now however with 800.171 we have a full set of required controls that need to be implemented. NIST SP 800.171 consists of fourteen different control families covering a wide range of technical and policy-based requirements to ensure the security of your information system is maintained and monitored. While the implementation of these controls is mandatory, there has been considerations for allowing flexibility in the implementation in the form of the Plan of Action and Milestones (POAM).

What are NIST Security Controls?

NIST SP 800.171 was created to be a streamlined version of the 800.53 controls. As such, it contains a condensed and organized collection of core controls to be applied in your organization. It contains fourteen families of controls of varying sizes. 

These control families are as follows:

Access Control -This family is self-explanatory but is also the largest of all the families coming in at a whopping 22 controls. It covers all the different aspects of access control such as user permissions and grouping based on role and requirements.

Awareness and Training – As the name implies this control family is all about training your users and keeping them aware of any risks and threats relevant to their position

Audit and Accountability – This control family covers the need to audit and keep logs of activity on the information system in order to keep users accountable for their activity. Keeping these logs ensure you have a record to reference when performing forensic analysis on your information system.

Configuration Management – This family discusses how to properly handle configuration items whenever changes are introduced to include the kind of configurations which are required, such as preventing the use of any non-essential programs, ports, or services.

Identification and Authentication – This area is focused on the identification of  users and authentication protocols ensuring end-user access to information systems are controlled.  It covers controls such as the use of multi-factor authentication, digital rights management and password policy enforcement.

Incident Response –Incidents will inevitably occur – it is not a matter of if, as much as it is a matter of when. This policy focused family ensures your organization is well prepared to handle and respond to cyber threats when they occur.

Maintenance – Another self-explanatory control family, yet still immensely important. This family is all about ensuring your organization follows regular maintenance procedures to ensure maintenance is performed on your security implementation both frequently and securely.

Media Protection – This control family is all about protecting your organization’s CUI and the media it is stored on. It covers everything from how to transport the media as well as how to destroy old media to ensure nothing is recoverable when it is disposed.

Personnel Security – Is your organization prepared to handle insider threats? This family details how both IT and HR must work together to handle the risks posed by internal employees and how to effectively handle them to ensure no harm comes to the system.

Physical Protection – You might have the most secure technical implementation in the world protecting your information system, but it means nothing if you forget to lock the door! This control family is all about how to protect the physical facility and ensures your on premise equipment remains secure.

Risk Assessment – Focused on assessing any identified and known risks, the activities required in this family can also highlight new unknown risks through the requirement for vulnerability scans and ensures that all risks are remediated as soon as possible.

Security Assessment – This family ensures your organization is regularly checking its security implementation for its effectiveness. What was fine two years ago may now be obsolete! It’s important to perform regular checks to ensure your environment is still as secure as it should be.

System and Communications Protection – One of the more technical of the control families, this family is all about protecting the communication that goes on within and around the system to ensure devices are communicating securely. It deals with concepts like transmission encryption and firewall policies.

System and Information Integrity – This control family primarily focuses ion dealing with malware and ensuring alerts are in place to warn of incoming attacks. This family ensures that your organization will be aware of attacks when they begin and ensures your anti-malware solutions are up to date and effective.

Why Kreative?

WE WORK IN PARTNERSHIP WITH YOU

Kreative is a small business in the heart of Northern Virginia, home to many of the largest government contractors in the country which handle incredibly sensitive information as a matter of course. With a highly skilled workforce knowledgeable in IT and the security industry, we are perfectly positioned to assist with your compliance needs. Our experience in working with our neighbors across the contracting industry has given us an intimate understanding of on-prem and cloud platforms, as well as MSO365 and Azure GCC high environments, allowing us to gain experience with security implementations in highly regulated environments. Over the years, Kreative has developed a wide collection of templates, covering all the policies and procedures required to be implemented into a compliant environment, which can also be tailored and packaged to perfectly fit the unique environment of your organization. This innovative approach lends itself to quick and proven compliant policy implementation that can assist with creating a culture of security awareness within your organization.

WE USE AN INNOVATIVE APPROACH

Information Security is an ongoing initiative for any organization as it is important to be prepared to adapt to dynamic situations. Kreative recommends the use of our kSAFE approach. This solution has been developed and continually improved in the Microsoft Office 365 environment to ensure organizational controls adhere to the various requirements outlined in the NIST 800 and DFARs regulations. Our solution utilizes innovation and leverages technology to ensure strongest adherence to IT security controls. Along with various automation tools, forms, workflows and templates, we are also extremely proficient in MS Azure that provides the back-end Information Security controls around:
  • Platform Security – The processes and infrastructure of MS datacenters to keep information safe
  • Secure Access and Sharing – The access management and share settings to ensure sensitive data is not inadvertently disclosed
  • Awareness and Insights – Complete visibility to make informed decisions, track, and account for all file activity to include full transparency with reporting and alerts
  • Information Governance – The ability to govern the lifecycle of data, including deletion and retention policies, eDiscovery, Mobile Device Management, Single Sign-On, Multi-Factor Authentication and Legal Holds
  • Compliance – A service that meets the latest security compliance standards in the industry