If you’re a Department of Defense (DoD) contractor or a manufacturer in the DoD supply chain who is required to implement NIST SP 800-171 security controls and planning to implement Cybersecurity Maturity Model Certification (CMMC), you know cybersecurity compliance is a must.
The DoD recently issued an Interim Rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS), effective November 30, 2020. A new mandatory construct was introduced with the rule called the DoD Assessment Methodology.
The Interim Rule is designed to achieve phased implementation of both the newly required Assessment Methodology and the CMMC framework. The DoD Assessment Methodology serves as an interim self-certification process before contractors undergo a full CMMC review.
What is NIST SP 800-171?
NIST SP 800-171 is a U.S. standard for the protection of controlled unclassified information (CUI). CUI refers to information shared with non government entities by federal agencies. For higher education institutions, shared data may include information for federally-funded research or grants. It may also include student financial aid information. Although other government regulations exist for data protection such as FISMA and GLBA, NIST SP 800-171 is designed to address those instances where cybersecurity compliance is not explicitly addressed.
What Are the Requirements?
Complying with NIST SP 800-171 means meeting over 100 individual controls across the following groups:
Access Control. Set limits on the number of authorized users.
Awareness. Advise and train employees on security risks.
Authentication and Identification. Implement centralized authentication with multi-factor identification.
Accountability. Create, protect, retain, and audit system logs.
Change management. Use change management processes against a configuration baseline.
Incident response. Establish incident response protocols for detecting, analyzing, containing, recovering, and responding to cybersecurity incidents.
Maintenance. Maintain all systems.
Media disposal. Define processes for sanitizing and destroying all media containing CUI.
Personnel security. Develop a robust screening process before granting access to CUI.
Physical security. Limit physical access to facilities with CUI systems to authorized personnel.
Risk assessment. Assess the risk to CUI associated with processing, storing, and transmitting data.
Security assessment. Evaluate security controls and address deficiencies to limit vulnerabilities.
Infrastructure protection. Design secure system infrastructures and software development processes.
System security. Monitor infrastructure for flaws and vulnerabilities.
In a 2016 letter, the government recognized the level of investment and effort required to comply with these standards; however, it stressed the importance of compliance because of increased cybersecurity threats.
Why Comply?
Institutions of higher education may regard NIST standards as excessive. Many of the smaller institutions do not see themselves as possible targets of a cyberattack and are not concerned with 100% compliance. Unfortunately, that assumption is incorrect.
According to a 2020 report on data breaches, ransomware was responsible for 80% of malware-related incidents at higher education institutions, which is 48% higher than last year. Malware distribution through websites was the primary cause of the large number of unmonitored emails and internet activity from students, faculty, and staff who use their own devices.
A primary concern for educational institutions is incident reporting. Almost 25% lack a reporting process, and 50% could not supply the required evidence of an incident. These lapses can result in a cyberattack that damages an institution's reputation and incurs financial penalties. Depending on the agency, non-compliance could result in a loss of federal funding.
Reputation
According to an IBM report, loss of reputation has the largest financial impact on an organization because it translates into lost customers. It can take years to rebuild consumer confidence, and in some instances, it is never restored. With more institutions incorporating distance learning, the chances of a cyberattack increase as the number of endpoints increase. Maintaining high-security standards is essential to mitigating the risk of a cyber-incident.
Funding
Depending on the government agency and the severity of a breach or incident, institutions could lose funding. For research institutions, the loss of government funding or the revoking of grants not only hurts the financial health of the organization, but it also impacts its ability to attract researchers. Researchers are not going to attend an institution if they might lose their funding because of a failure to comply.
Penalties
Although the government has given institutions years to comply, there will come a time when compliance will be expected. When an institution is out of compliance, penalties may result. These may be financial penalties above a loss of funding. Compliance is the only way for organizations to ensure their economic viability.
What are Best Practices?
The best approach to compliance includes the following:
Document what CUI, as well as other sensitive data, resides on the network. Some government agencies may help with identifying the types of data that need to be secured. Even if they do not, an institution is still responsible for classifying data such as routing numbers, resident status, or identification numbers.
Implement a least-privilege model for accessing the information. Grouping similar data makes it easier to restrict access than if the data is spread throughout the network. Be prepared to report on who has access to CUI data.
Audit all activity and report abnormal activity according to NIST guidelines. The process should include details on what evidence should be collected to evaluate an incident.
These three steps identify CUI data, where it is stored, and who has access. It requires a restricted permissions model that can be tightened with more rigorous authentication methods such as multi-factor authentication and a centralized identity entity. It puts into place an auditing framework that can be applied as institutions address each security control.
If you believe you are experiencing a security incident, call our incident response hotline immediately: (860)-785-0614.
We're Here To Help
Cybersecurity incidents can ruin a manufacturer's reputation. In the manufacturing sector, reputation is everything. At Cymonix, we understand how overwhelming the NIST standard can be. That's why we are ready to help you stay in compliance and protect your reputation.