Home | Our Services
Request a FREE Consultation here:
MORE ON SECURITY COMPLIANCE:
Benefits of NIST Implementation
What are NIST Security Controls?
The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the US Department of Commerce that develops and issues standards, guidelines, and other publications to assist in implementing the Federal Information Security Modernization Act of 2014 (FISMA) and to help with managing cost effective programs to protect their information and information systems.
There are two primary NIST publications to consider when determining what security controls apply to your company. There is NIST SP 800.53, and NIST SP 800.171, two very similar sets of controls designed for different business environments.
NIST SP 800.53 – NIST SP 800.53 is a set of security controls intended for federal information systems and organizations. It is a large but flexible set of controls designed to meet the needs of agencies of varying size. The controls can vary between low, moderate, and high impact configurations depending on the security requirements of the agency and what can reasonably be achieved in that agency. It is important to note that 800.53 is only intended for federal information systems, so if your company is not a federal agency or is not operating a federal information system on behalf of the government then 800.53 will not apply to you. For all other contractors that handle CUI, DFARS and 800.171 are the publications to pay attention to.
NIST SP 800.171 – NIST SP 800.171 is a streamlined version of 800.53 created specifically to be applied to non-federal businesses enforced under DFARS. Prior to the publishing of DFARS 252.204-7012 only a few select controls from 800.53 were required, now however with 800.171 we have a full set of required controls that need to be implemented. NIST SP 800.171 consists of fourteen different control families covering a wide range of technical and policy-based requirements to ensure the security of your information system is maintained and monitored. While the implementation of these controls is mandatory, there has been considerations for allowing flexibility in the implementation in the form of the Plan of Action and Milestones (POAM).
What are NIST Security Controls?
NIST SP 800.171 was created to be a streamlined version of the 800.53 controls. As such, it contains a condensed and organized collection of core controls to be applied in your organization. It contains fourteen families of controls of varying sizes.
These control families are as follows:
Access Control -This family is self-explanatory but is also the largest of all the families coming in at a whopping 22 controls. It covers all the different aspects of access control such as user permissions and grouping based on role and requirements.
Awareness and Training – As the name implies this control family is all about training your users and keeping them aware of any risks and threats relevant to their position
Audit and Accountability – This control family covers the need to audit and keep logs of activity on the information system in order to keep users accountable for their activity. Keeping these logs ensure you have a record to reference when performing forensic analysis on your information system.
Configuration Management – This family discusses how to properly handle configuration items whenever changes are introduced to include the kind of configurations which are required, such as preventing the use of any non-essential programs, ports, or services.
Identification and Authentication – This area is focused on the identification of users and authentication protocols ensuring end-user access to information systems are controlled. It covers controls such as the use of multi-factor authentication, digital rights management and password policy enforcement.
Incident Response –Incidents will inevitably occur – it is not a matter of if, as much as it is a matter of when. This policy focused family ensures your organization is well prepared to handle and respond to cyber threats when they occur.
Maintenance – Another self-explanatory control family, yet still immensely important. This family is all about ensuring your organization follows regular maintenance procedures to ensure maintenance is performed on your security implementation both frequently and securely.
Media Protection – This control family is all about protecting your organization’s CUI and the media it is stored on. It covers everything from how to transport the media as well as how to destroy old media to ensure nothing is recoverable when it is disposed.
Personnel Security – Is your organization prepared to handle insider threats? This family details how both IT and HR must work together to handle the risks posed by internal employees and how to effectively handle them to ensure no harm comes to the system.
Physical Protection – You might have the most secure technical implementation in the world protecting your information system, but it means nothing if you forget to lock the door! This control family is all about how to protect the physical facility and ensures your on premise equipment remains secure.
Risk Assessment – Focused on assessing any identified and known risks, the activities required in this family can also highlight new unknown risks through the requirement for vulnerability scans and ensures that all risks are remediated as soon as possible.
Security Assessment – This family ensures your organization is regularly checking its security implementation for its effectiveness. What was fine two years ago may now be obsolete! It’s important to perform regular checks to ensure your environment is still as secure as it should be.
System and Communications Protection – One of the more technical of the control families, this family is all about protecting the communication that goes on within and around the system to ensure devices are communicating securely. It deals with concepts like transmission encryption and firewall policies.
System and Information Integrity – This control family primarily focuses ion dealing with malware and ensuring alerts are in place to warn of incoming attacks. This family ensures that your organization will be aware of attacks when they begin and ensures your anti-malware solutions are up to date and effective.
WE WORK IN PARTNERSHIP WITH YOU
WE USE AN INNOVATIVE APPROACH
- Platform Security – The processes and infrastructure of MS datacenters to keep information safe
- Secure Access and Sharing – The access management and share settings to ensure sensitive data is not inadvertently disclosed
- Awareness and Insights – Complete visibility to make informed decisions, track, and account for all file activity to include full transparency with reporting and alerts
- Information Governance – The ability to govern the lifecycle of data, including deletion and retention policies, eDiscovery, Mobile Device Management, Single Sign-On, Multi-Factor Authentication and Legal Holds
- Compliance – A service that meets the latest security compliance standards in the industry