In a nutshell, the attributes of data protection and information system accountability are instantiated in the National Institute of Standards and Technology (NIST) compliance framework. As such, if your company is in search of Department of Defense (DoD) contracts, you will need to possess a significant level of compliance with NIST in order to satisfy the lowest rung of the cybersecurity ladder -which is also encompassed by the Defense Federal Acquisition Regulation Supplement (DFARS). This protects you and your customers in the event that you transmit, process or store Controlled Unclassified Information (CUI).
Breaking it Down – What, Precisely, is NIST Compliance?
In the private sector, competition not only arises naturally – it actually results in the best products, at the lowest price for consumers. This isn’t so easy to simulate in the public sector, where government funds the technology and promotes the science; the NIST standard, as a result, is intended to infuse this sector with the competition necessary to make scientific projects more economical. More “bang for the buck”, so to speak. In particular, this emerges through standardization of the requirements for information security. It helps technology and science companies more easily align their security controls to a confirmed standard – which facilitates future compliance and productivity.
NIST Special Publication 800-53 – The Details
This document, which is officially designated as NIST 800-53, provides a step-by-step process via which your company can create viable privacy policies and security controls. The lowest rung of protection outlines ten activities; the following is a short list of the processes addressed:
- Storing of documentation
- Establishment of assessor and auditing services/teams
- Creation of time frames
- Enumerating the controls
- Facilitating communication
- Establishing oversight
NIST Special Publication 800-171
Branching off the previous publication, NIST 800-171 is particularly concerned with Controlled Unclassified Information (CUI). Depending on the kind of information in which your company traffics, you will need to meet this compliance mandate to satisfy government policies concerning security controls. In this regard, this document can be considered a lighter version of the previous NIST Special Publication 800-53. As a science and technology company, it is up to you to choose the publication that best suits you.
- Establishing a NIST Regulatory Compliance RMA
The first order of business in creating a Risk Management Assessment is to review Special Publication 800-53, which outlines all the necessary actions required to store, process and transmit CUIs. This usually entails scanning for vulnerabilities before implementation of amendments to the system.
The second publication, NIST 800-171, is largely a less comprehensive extension of 800-53. Smaller companies that do not handle DoD documents of the CUI classification can probably get away with just using NIST 800-171 to achieve compliance; but NIST 800-53 definitely gets you there (to full compliance) if there’s any uncertainty regarding things such as supply chain risk assessments and consistency with Executive Orders. Basically, if you can obtain compliance with 800-53, then you are definitely in compliance overall as concerns CUI.
- Making NIST Compliant Access Controls
Essentially, you can peruse NIST 800-171 for a quick rundown of the rules governing compliance; however, you want to refer to NIST 800-53 for a broad overview of the mechanism for making comprehensive risk assessments. You will find a special emphasis on access controls once you take a look at the publications.
One of the primary things you can do to promote access control is actually fairly straightforward: keep roles within your organization separate. This means, for example, separate the responsibilities of individuals to curtail the occurrence of deleterious collusion; this limits the ability of different persons in working together to pilfer valuable company information. The principle of least privilege applies here. This can entail a wealth of different account management tools – such as dynamic access controls for user privileges, and fluid access control management processes.
- The Importance of Managing Audit Documentation
Although both Special Publications require audit documentation, the difference – once again – is that NIST 800-53 goes into considerably greater depth than NIST 800-171. For the smaller science and technology companies that take on NIST 800-171 for compliance, you will require an ongoing system of analysis, dynamic monitoring, and unlawful or inappropriate acquisition of system activities – especially the ability to trace back these activities to the user.
Even though the more comprehensive NIST 800-53 is generally reserved for larger corporations, even smaller companies can benefit from the detailed information regarding failures in the auditing process, as well as the reporting procedures.
Facilitating the Extensive Requirements of NIST with Automation
Much of this can initially seem unwieldy; but tools such as ZenGRC can facilitate and help implement the entire process of regulatory compliance very quickly. The analytical software can find and review all present controls and return a comprehensive report on what is needed for compliance with all relevant regulations.
