Since December 2015 there has been a DFARS clause (225.204-7012) requiring contractors to institute the standards outlined in NIST Special Publication (SP) 800-171. There was an implementation window of two years, and that window runs out as of December 31st, 2017, making compliance with SP 800-171 a full-stop requirement.
In case you’re just catching this now, SP 800-171 covers the protection of sensitive federal information, dubbed “Controlled Unclassified Information” or CUI, while that information is residing on non-federal systems. NIST specifically states the purpose of 800-171 as the following:
“The protection of sensitive federal information while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations, including those missions and functions related to the critical infrastructure.”
A High-Level Overview of the Key Requirements in NIST SP 800-171
If you’re coming at this new standard from the mobile device perspective there’s a few different areas that we think are particularly relevant and interesting to understand, namely Access Control, Audit & Accountability and Media Protection. We’ll review the key section for mobility below.
3.1.18 Control Connection of Mobile Devices
Mapping 3.1.18 to AC-19 in NIST SP 800-53 we can see that control includes the following for mobile devices:
- Establish usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices;
- Authorize the connection of mobile devices to organizational systems; and
- Protect and control mobile devices when outside of controlled areas.
Ensure you understand which devices are approved and which aren’t, and don’t allow unapproved devices to mount their filesystems.
Highlight: secRMM has the ability to unmount non-whitelisted devices from the operating system, allowing users to charge but not transfer. See it LIVE here.
3.1.21 Limit Use of Organizational Portable Storage Devices on External Information Systems
Mapping 3.1.21 to AC-20(2) in NIST SP 800-53 we can see that “use of external information systems” includes the following for devices:
- Access the system from external systems; and
- Process, store, or transmit organization-controlled information using external systems
Ensure you limit or remove the use of portable storage devices, but if they are used ensure you appropriately track Controlled Unclassified Information being transferred to the devices.
Highlight: secRMM can limit the use of portable storage devices using whitelisting policy rules such as AllowedSerialNumbers, AllowedInternalIds, AllowedUsers, AllowedPrograms. See it LIVE here.
3.3.1 Create, Protect and Retain System Audit Records to the Extent Needed to Enable the Monitoring, Analysis, Investigation, and Reporting of Unlawful, Unauthorized or Inappropriate System Activity
This is a fairly broad requirement that maps to many of the NIST 800-53 audit security controls (AU-2,3,6 and 12). We’ll reference the one we think is most important, AU-3, which states that audit records must include “what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.”
Ensure you have audit records that track any device connections or transfers of Controlled Unclassified Information, including the full range of audit details to track the 4W’s (who, what, where, when).
Highlight: All required data is collected by secRMM, and audit event data is stored in Windows “event log files”, easily allowing both centralized log storage and historical archival.
3.8.7 Control the use of removable media on information system components
Mapping 3.8.7 to MP-7 in NIST SP 800-53 we can see that “control the use of removable media” includes the following:
- Prohibit the use of organization-defined media on organization-defined components using organization-defined safeguards; and
- Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner
Ensure you define safeguards around which devices can connect to which systems, and that devices with no identifiable owner cannot be used.
Highlight: A large range of removable media devices can be whitelist controlled via secRMM, including USB/thumb drives (encrypted and non-encrypted), mobile devices (Apple, Android, Windows, BlackBerry), external hard drives, CD/DVD/BluRay and SD-Cards.
3.8.8 Prohibit the use of portable storage devices when such devices have no identifiable owner
To hammer home the point, SP 800-171 also maps a separate 3.8.8 to subsection MP-7(1) in SP 800-53, specifically calling out the restriction on devices which have no identifiable owner. They go on to say:
- Requiring identifiable owners for portable storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices.
Ensure you block devices where an owner cannot be associated with connection or data transfer events.
Highlight: There are two key mechanism in secRMM which can map identifiable owners to devices, and can force users to authenticate from mobile devices to successfully connect. See AD Integration LIVE here.
3.8.9 Protect the confidentiality of backup CUI at storage locations.
Mapping 3.8.9 to CP-9 in NIST SP 800-53 we can see that “protecting the confidentiality” includes the following:
- Conduct backups of user-level information contained in the system;
- Conduct backups of system-level information contained in the;
- Conduct backups of system documentation including security-related documentation; and
- Protect the confidentiality, integrity, and availability of backup information at storage locations.
Ensure that all security and audit information related to mobile devices or portable storage devices is redundantly backed up, stored securely, and the integrity of the backups is assured.
Highlight: All secRMM event data is contained in standalone Windows Event Log Backup files (evtx) files. These files are easily compressible using COTS compression software which can be password protected and encrypted when necessary.
By December 31 of this year you must be compliant with NIST 800-171. There are implications for mobility and portable media, and we hope that the outline above simplifies the key requirements that you need to keep in mind.
Our secRMM product is a COTS product specifically designed for governments to meet the kind of stringent criteria that NIST publications require.
WHAT TO DO NEXT?
Contact us to see a demonstration of our solution.
Or watch an overview of the secRMM integration with Microsoft Systems Center.
Or if you’re really impatient, jump right to downloading the trial.