Understanding Federal IT Compliance in Three Steps - SharePoint Fest DC

Editor's Notes

• #17: System and Communications Protection Before you can build a house you must have roads, sewers, and electricity in place. The System and Communications Protection control family focuses on all the external infrastructure connections that will support the functions of your information system. Bringing this infrastructure to “code” for NIST 800-171 means that content is encrypted in transit, and at rest, using FIPS validated encryption. (See validated algorithms http://csrc.nist.gov/groups/STM/cavp/validation.html )   Most likely you are already using one of these cryptographic methods to secure inter-system communication. This requirement is so important that it repeats itself throughout several of the controls. After you’ve created the infrastructure, this section focuses on controlling inter-system communication by requiring a set time period for “terminating sessions.” By requiring systems to re-authenticate you reduce the risk of data leakage.  
• #18: Access Control When you design a house, you must decide where the doors and windows will be. If security is a top requirement, you must consider how to control access, and who gets the keys. When protecting Covered Defense Information (CDI) or Covered Technical Information (CTI) information the door is for both internal and external processes. The Access Control family focuses on separating the access of standard users vs. administrators within your network, and ensuring that these accounts have “least privilege.” This has been a standard for many years, so it should only require that you document your processes.   Additionally this control family requires appropriate privacy notices to users entering the system, and limits both the number of logon attempts and the time a user can be connected within a session. Finally, you must encrypt your communications with the outside world, whether via internet, Wi-Fi, or on a wireless device.  
• #19: Physical Protection Once your home is built, you’ll need to protect it. A complete security system logs when doors open and close, alerts you when motion sensors are triggered, and has security cameras for additional monitoring. Similarly, the Physical Protection control family tracks visitors, restricts physical access to sensitive areas, and monitors all community space. Yes, servers do exist, so it’s recommended that you have a method to track access to their data center, racks, and the servers themselves. Digital keycards, video cameras, and controlled access to each section of the facility are highly recommended.  
• #20: Media Protection Even with your doors locked and security system running, you should still keep valuables and important documents in a safe. Similarly, NIST 800-171 recognizes that not all content in your system is created equal. The Media Protection control family requires that CDI is marked at the document level, and if it is stored on any external media. Media includes both physical servers that need to be protected as well as printed materials, and the controls cover how they’re stored and destroyed when no longer needed.   Encryption of CDI content is reinforced on digital transport methods, CD/DVD to thumb drive, and within back-up systems. Another key concern is the ability to use removable devices to download and store CDI data. While turning off all USB ports on laptops might solve that issue, users should also be trained not to transport CDI on external devices.  
• #21: Configuration Management Now that your house is built and secure, let’s talk about decorating. How do you decide where to put your furniture and decorations? The Configuration Management control family is focused on the detailed software level and is about the processes and procedures you take to make sure logical security is in place. It again reaffirms access restrictions from the Access Control family.   Do you restrict what software is installed on servers and/or on staff’s laptops? Record it here, and describe the process that you take to make sure any new software that is added does not affect security and stability of your information system.  
• #22: System & Information Integrity When you have a new home, you want to fill it with safe, high-quality materials. This is similar to the System and Information Integrity control family, which focuses squarely on your information system, and even more specifically on the code within it. You should monitor, identify, and take action if you find flaws in the system, or malicious code from outside parties.   What process do you have in place for responding to these errors? If you have one, formalize it and you are one step closer to fulfilling the NIST 800-171 System Security Plan (SSP).  
• #23: Maintenance Your house, or information system, is no good without constant upkeep. Follow best practices to make sure the hardware and software supporting your information system is in good shape. Make sure you know who is working on your system and what tools (physical or digital) they’re using when performing maintenance. Make sure your processes are in place for internal and external personnel to keep the system at its best.
• #25: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Use non-privileged accounts or roles when accessing non-security functions. Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
• #27: Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems. Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities. Provide security awareness training on recognizing and reporting potential indicators of insider threat.
• #28: Personnel Security 3.9.2 Ensure that CUI and information systems containing CUI are protected during and after personnel actions such as terminations and transfers.   Physical Protection 3.10.3 Escort visitors and monitor visitor activity.
• #29: Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. Supervise the maintenance activities of maintenance personnel without required access authorization. Protect (i.e., physically control and securely store) information system media containing CUI, both paper and digital.
• #31: Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity. Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions. Review and update audited events. Alert in the event of an audit process failure. Use automated mechanisms to integrate and correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity. Provide audit reduction and report generation to support on-demand analysis and reporting. Provide an information system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. Protect audit information and audit tools from unauthorized access, modification, and deletion. Limit management of audit functionality to a subset of privileged users.
• #32: Risk Assessment 3.11.1 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of CUI.   Security Assessment 3.12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
• #33: Identify, report, and correct information and information system flaws in a timely manner.
• #34: Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. Track, review, approve/disapprove, and audit changes to information systems.