What is NIST 800-171?
If you haven’t heard anything about NIST, it is likely because you do no work with the federal government, companies that work with the federal government or companies that are overseas. Regardless if this impacts you or not today, NIST provides a great framework to secure your organization and customer data from unwanted hacker activity.
NIST 800-171 is a document of guidelines published by the National Institute of Standards and Technology (NIST) that introduced requirements for protecting Confidential Unclassified Information (CUI) from unauthorized access, with an emphasis on foreign entities. The federal government has adopted this standard as a requirement for any company that is bidding and/or fulfilling government contracts.
The Importance of NIST 800-171 to Manufacturers
As of December 2017, NIST 800-171 required compliance to “ensure that sensitive federal information remains confidential when stored in non-federal information systems and organizations.” Compliance to these guidelines is mandatory and is enforced by the Department of Defense (DoD). Many non-federal manufacturing organizations have contracts which aid federal agencies in production of certain products and commonly store or transmit sensitive data. With the rise in cyber-attacks over the last few years, protection of this data has become paramount, thus NIST has become more important than ever, and enforced accordingly. If you do not discuss your NIST security compliance posture with the DoD, your organization is implying that your are CDI compliant. If you are then audited and found violating compliance you could be hit with enormous fines, or your organization can be issued a stop-work order indefinitely until compliance is met.
How to Achieve and Stay NIST Compliant
NIST 800-171 has many rules when it comes to technology controls and without expertise, it is difficult to stay compliant. This leads many organizations to turn to a 3rd party to assess, deploy and maintain security features in order to stay compliant. NIST guidelines specify the following technology practices and controls as areas of emphasis for Manufacturing organizations:
Perform an annual risk assessment. This can be a self-assessment or performed by a third-party. However, many organizations don’t have the resources or expertise to conduct a security risk assessment internally. This is a critical first step in understanding what improvements you should focus on first. As a follow-up to the assessment process, it is critical to perform a risk analysis of the identified risks, and document a plan to either avoid, mitigate, transfer, or accept those risks.
Document and implement security policies. There are many critical security policies that an organization should document and live by. These policies will be a natural product of the security risk assessment. The following are just some of the policies that should be considered:
Put controls in place around authentication and access:
- Implement a strong authentication process. This will involve strong password policies and some form of Multi-Factor Authentication process.
- Implement a “need to know” access policy. This will require a review of permissions of each employee to see what data they have access to and what privileges they should have to access application and network resources.
- Limit the number and use of privileged accounts. Admin accounts should not be used often and reducing the number of users with access to them is a great way to control access to critical technology within your environment.
- Control connection of mobile devices. Mobile devices are often used for convenience, but without proper management corporate data can be lost. It is critical to make sure a policy exists that deals with storage, ownership and removal of corporate and customer data from a personal phone.
- Encrypt storage devices on all workstations and mobile devices. Using an encryption tool like BitLocker to protect data on a missing/stolen device is mandatory to safeguarding your data in case of loss or theft.
Provide security awareness training. Providing security awareness training (with a specific focus on which data is considered CUI) is one of the most powerful practices you can deploy in terms of security. The biggest threat to any organization’s security is the end-users. Unaware employees often fall victim to phishing attacks and other schemes. Training your employees on what to look for is critical.
Create, maintain, and retain audit logs. Proactively watching user and network activity is critical to any security program. Looking for abnormal behavior is a great way to stop an attack before it gets out of control. Maintaining system logs also allows you to go back and look at activity during the time of an attack and track what went wrong and how to improve things for the future.
How to Get Started on the Road to Compliance
Many organizations will employ third-party help to create, implement, and comply with these requirements. Applied Tech has multiple experts on staff that can help you become compliant. With multiple Managed Security packages that have been specifically designed to meet compliance needs Applied Tech is an industry leader with experience deploying these vital technologies to organizations throughout Wisconsin.
Want to get started? Fill out this form to have a conversation with an Applied Tech expert today!