New guidelines governing the transmission, storage and use of protected data create compliance challenges for companies and contractors looking to do business with federal and state agencies.
Companies wanting to continue to do business with certain federal departments and agencies have just a few months to ensure that their cybersecurity protocols are up to par.
That’s because of the December 31st deadline for companies to demonstrate compliance with new guidelines prepared by the National Institute of Standards and Technology (NIST). The NIST is a non-regulatory federal agency that focuses on driving innovation and economic competitiveness for U.S.-based companies in science and technology industries.
The NIST establishes technologies, standards, and metrics that allow federal agencies to comply with guidelines that protect information systems and data. It establishes the standards that federal agencies need to follow for security controls for information systems.
Specifically, the NIST guidelines require contractors, businesses or individuals that work with or for federal or state agencies to have documented system controls in place for dealing with controlled unclassified information (CUI). Federal agencies often share this type of information with business partners and collaborators and the new guidelines are intended to keep that data safeguarded.
14 Categories of Controls
The guidelines require those working with federal agencies to demonstrate compliance with 14 different categories of process and control.
- Access Control. This guideline ensures partners limit system access to authorized users only.
- Awareness and Training. Companies must ensure that employees are aware of risks to information security and provide adequate training to minimize risk.
- Audit and Accountability. System logs, which track access to critical information and processes, are essential. These guidelines ensure the proper creation, protection, retention, and review of those logs.
- Configuration Management. Baseline system configurations need to be recorded, as do change management protocols that are robust and focus on protection.
- Identification and Authentication. Identification is a critical component of system security and prevents unauthorized access. These requirements govern how central and multi-factor authentication and access to system resources is managed.
- Incident Response. In the case of an issue with access, theft or corruption of data, companies need operational procedures that guide detection, analysis, containment, recovery, and response, as well as preparational procedures.
- These requirements ensure that there are standard maintenance protocols to ensure upgrades and corrective actions do not compromise data.
- Media Protection. Any media containing CUI needs to be sanitized and destroyed properly.
- Personnel Security. Companies need to have systems and procedures in place that screen individuals before they are granted access to systems containing CUI.
- Physical Protection. In addition to controlling digital access, companies also must ensure that physical access to system hardware and storage is limited and security measures are in place.
- Risk Assessment. Doing work with federal agencies requires organizations to conduct an assessment of the operational risks that exist to the transmission, processing, and storage of CUI.
- Security Assessment. Companies need to assess the security controls in place and have plans to address deficiencies to limit
- System and Communication Protection. Organizations must demonstrate using secure design principles for system architecture and software development life cycles.
- System and Information Security. Monitoring tools must be in place to alert companies of system vulnerabilities and flaws.
Within those 14 broad categories are more than 100 specific controls that must be documented and in place by the end of 2017.
Risk of Non-Compliance
For any company that processes, stores or transmits the potentially sensitive information governed by the NIST guidelines, the risks of non-compliance are significant. Federal and state agencies can sever contracts with non-compliant partners. Companies wanting to establish compliance need to act quickly to meet the federal deadline.
Companies need to ask more questions, including:
- What vulnerabilities exist within our systems and processes?
- How will we address those vulnerabilities?
- What training is necessary for our staff, vendors, and clients?
- How will we maintain compliance on an ongoing basis?
While all the NIST compliance elements are critical, there are some that are more challenging for many companies. Here’s a closer look at three of the most complicated aspects of the guidelines.
Encryption. Encryption comes to play in two of the 14 categories: Access Control and Identification and Authentication.
Under Access Control, the guidelines state that wireless access to systems needs to be protected using encryption methods. In addition, any data used or stored on mobile devices must also be encrypted. An Identification and Authentication guideline calls for the storage and transmission of passwords must also be encrypted.
Companies will need to use validated cryptography tools. Their system designs may be flawed, requiring third-party assistance to ensure proper encryption procedures.
Incident Response and Reporting. In addition to the operational procedures detailed above, the NIST guidelines require companies to track, document and report incidents to the proper authorities or authorized personnel both within and external to the organization. Testing must also be done regularly to ensure compliance with the defined guidelines.
For example, Department of Defense guidelines covers even a potential compromise. Within 72 hours of a potential issue being identified, a contractor must review evidence and report on the findings of that review to the agency. These mandates mean that companies need to have a well-defined plan and response team ready to activate and execute promptly.
Continuous Monitoring. While continuous monitoring is not one of the 14 broad categories, there are 10 different controls that require ongoing monitoring and investigation. This area shows up in remote access sessions, user-installed software, physical location and infrastructure, visitor activity, use of mobile code, voice over internet protocol (VoIP) tools, and inbound and outbound communication traffic.
The volume of required monitoring can trip up companies seeking compliance, driving some organizations to outsource the monitoring required by the NIST guidelines.
Companies that want to maintain good working relationships with agencies will need some assistance to ensure compliance prior to the December 31st deadline and on an ongoing basis. Without documentation and procedures in place, companies that rely on work with key agencies will find themselves on the outside looking in.